Analysis

  • max time kernel
    151s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 17:13

General

  • Target

    fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe

  • Size

    588KB

  • MD5

    025387dd4f24847516237f55e913bad5

  • SHA1

    2010e8f192449436731f14fd756239f7bad03755

  • SHA256

    fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce

  • SHA512

    fef98c75716596bf6d0b77ce8ca63cca5558fe7aa679f7c7553408768b58fc8e1c2dcef8471451895416beed9413cee103f3118155afdeb531755e73f9d9665c

  • SSDEEP

    12288:qXR2D/HOcfxGk5e3fbbREgC8VrtuqN/IrjD6yVQihlg:qEzOcfxGk5ePbygCI7NUVC

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 36 IoCs
  • Drops file in Program Files directory 27 IoCs
  • Drops file in Windows directory 27 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe
    "C:\Users\Admin\AppData\Local\Temp\fd4845cd7deef68fc57b4dd6c1c4806686145657a2be08c4d46b167c9df303ce.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1928
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1316
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:1088
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:1776
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:996
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1868
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-999675638-2867687379-27515722-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-999675638-2867687379-27515722-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1164
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
      2⤵
        PID:924

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

      Filesize

      284KB

      MD5

      e439430997faf032bb90db4cb3cfb85d

      SHA1

      f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

      SHA256

      d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

      SHA512

      98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

      Filesize

      1.2MB

      MD5

      8174bc516ba6943da8e0f2daec453f27

      SHA1

      414db3d2b6875d529a290517033fbf8002a4b319

      SHA256

      f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

      SHA512

      a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

    • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

      Filesize

      284KB

      MD5

      30f405a97b08488c04efaa1d5213e20b

      SHA1

      127df5dce302ba835d2d5bfdef7180bfe083c218

      SHA256

      dfc58630836beff19714126044f49a9dad25bceaafaf6e6949c15c8b9d0df0ac

      SHA512

      7a779f589def43261691af3e8615c7837cc7a474e5a6de64acc179e3a98d3d172e0a5cfb40948b4e589307a1ded1651d210789237944962049e62c014e124b80

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

      Filesize

      203KB

      MD5

      044912029c19d62aeaf9696e5c7571e6

      SHA1

      430fabb9a633844262f1cd98aa30e1e18bb94709

      SHA256

      3192abec7dabc46ee9c560e9c98902077ed8b2dba0cd83a477aab146a0909b16

      SHA512

      200fbee4e62fc40554fdac99009e863ac6ef46728b30a699190c87318f555c4cfd6722ee8b69e4a8fb5400b0e0a9eb0d4ce0ea25444008c9f933a19935926351

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

      Filesize

      203KB

      MD5

      044912029c19d62aeaf9696e5c7571e6

      SHA1

      430fabb9a633844262f1cd98aa30e1e18bb94709

      SHA256

      3192abec7dabc46ee9c560e9c98902077ed8b2dba0cd83a477aab146a0909b16

      SHA512

      200fbee4e62fc40554fdac99009e863ac6ef46728b30a699190c87318f555c4cfd6722ee8b69e4a8fb5400b0e0a9eb0d4ce0ea25444008c9f933a19935926351

    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

      Filesize

      234KB

      MD5

      a2c38d829b9067afb005940eafe982a8

      SHA1

      cd2e5e49a74d876fe1b5acd38d32e15e6340a324

      SHA256

      0f2ec75a593e529f080b4c6b533c6abf0ffda207b3b45cf8c57420b301a07687

      SHA512

      2cb57abee85e74cbfc4d10134fa58c5269a8b2a12310108aac925793357641aaea227ea7753dd1233f4cec55e5240a3c9a22625b8f4275764359f50d7a29702a

    • \??\c:\program files (x86)\microsoft office\office14\groove.exe

      Filesize

      29.7MB

      MD5

      32d86ff57a319885eeafca506077062f

      SHA1

      3532be36569ce1a7205c950da66de8b5e1be236c

      SHA256

      3370b81483892ac837875a0a0a8e18e64bc4671fd33a2149f1083f8d9da15020

      SHA512

      58a0bcbd70bb617f80844c0959f30fd7aabff421f6ad939737f71630f38d825aeff897128f738a1c5435dbd0173bcc235a3fd05559a295dbfe972197bf0784c2

    • \??\c:\windows\SysWOW64\searchindexer.exe

      Filesize

      562KB

      MD5

      7cfb902dffcb01be69c5360a7d57e939

      SHA1

      8c99f9e9eea3eb4c6a51e4c116fcccf02f0ac55e

      SHA256

      f953077c916632917a7fec91b89b21d9d4cee2edb7ff963d2523ae1b4bb15382

      SHA512

      2d259c9ff90fcfd02fb5510b57e1fa15b4b965dc04c308c6882c29a41e6b6b83b7b44e2939c9828e15167ef045ddb5109ab8dff1203b252390854321f2b24d70

    • \??\c:\windows\SysWOW64\svchost.exe

      Filesize

      164KB

      MD5

      6ccf18585993893d348983304ea2fdd0

      SHA1

      c9fd1b699fbddada9c4b07f28df717e1ecf66f4b

      SHA256

      2d427900fc953820e9bee5b0902a27015bdf82b35d8cda8c7ef722551fa86df6

      SHA512

      fc36bc1496768e2a4e66f19f584b6a55e547d3e70382aa00e4f4c504162ad0c90ec2ba53dbffdff6d4dc3e2c1434ee262f2d00993ba86e92b00912171741edd9

    • \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

      Filesize

      234KB

      MD5

      a2c38d829b9067afb005940eafe982a8

      SHA1

      cd2e5e49a74d876fe1b5acd38d32e15e6340a324

      SHA256

      0f2ec75a593e529f080b4c6b533c6abf0ffda207b3b45cf8c57420b301a07687

      SHA512

      2cb57abee85e74cbfc4d10134fa58c5269a8b2a12310108aac925793357641aaea227ea7753dd1233f4cec55e5240a3c9a22625b8f4275764359f50d7a29702a

    • memory/996-62-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

      Filesize

      8KB

    • memory/1088-60-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

    • memory/1316-58-0x0000000010000000-0x0000000010070000-memory.dmp

      Filesize

      448KB

    • memory/1636-83-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

      Filesize

      64KB

    • memory/1636-99-0x00000000023F0000-0x00000000023F8000-memory.dmp

      Filesize

      32KB

    • memory/1636-102-0x00000000023F0000-0x00000000023F8000-memory.dmp

      Filesize

      32KB

    • memory/1636-103-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

      Filesize

      32KB

    • memory/1636-67-0x00000000029C0000-0x00000000029D0000-memory.dmp

      Filesize

      64KB

    • memory/1868-64-0x000000002E000000-0x000000002E086000-memory.dmp

      Filesize

      536KB

    • memory/1868-107-0x000000002E000000-0x000000002E086000-memory.dmp

      Filesize

      536KB

    • memory/1928-61-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB

    • memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

      Filesize

      8KB

    • memory/1928-55-0x0000000000400000-0x00000000004E6000-memory.dmp

      Filesize

      920KB