88e02def17fda0021d4dba5ea812772c542b0fa6ca8930bcf06c42375c00bd29

Resubmissions

17/11/2022, 12:48

221117-p1yg5aad8t 8

17/11/2022, 11:49

221117-ny7scaec69 8

Analysis

max time kernel
116s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2022, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe Acrobat/setup.exe
Size

654.4MB
MD5

94032e57b7bd0b054e358ccafe314a5c
SHA1

8b693624f57e92da1ae0aff69cf010891710c0ec
SHA256

47332ce5b904b959aa814ddfde8662931fdfb5233422dc45053ad04cffc44fb4
SHA512

54e8ca05a317e53b7dfee8bd2ec89beb921017c0409c0b8d75cbf3cbea3a540d0e2781ee42a230ad52e92e1026d69e591c140606437ac4d096b13a578ceec242
SSDEEP

49152:sM9fgA9cT7dfGHESyneZnyT1M1kpRdjlEao5EBDtGQnlX8f/01A:bgpKEvTUEbG8l

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3616	zxr7KWdv7e.exe
3004	policyintroductoryov.exe
2312	policyintroductoryov.exe
4820	MIDNAUHE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	policyintroductoryov.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	zxr7KWdv7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	zxr7KWdv7e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 2312	3004	policyintroductoryov.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4924	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
224	powershell.exe
224	powershell.exe
932	powershell.exe
932	powershell.exe
3748	powershell.exe
3748	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5004	wmic.exe
Token: SeSecurityPrivilege	5004	wmic.exe
Token: SeTakeOwnershipPrivilege	5004	wmic.exe
Token: SeLoadDriverPrivilege	5004	wmic.exe
Token: SeSystemProfilePrivilege	5004	wmic.exe
Token: SeSystemtimePrivilege	5004	wmic.exe
Token: SeProfSingleProcessPrivilege	5004	wmic.exe
Token: SeIncBasePriorityPrivilege	5004	wmic.exe
Token: SeCreatePagefilePrivilege	5004	wmic.exe
Token: SeBackupPrivilege	5004	wmic.exe
Token: SeRestorePrivilege	5004	wmic.exe
Token: SeShutdownPrivilege	5004	wmic.exe
Token: SeDebugPrivilege	5004	wmic.exe
Token: SeSystemEnvironmentPrivilege	5004	wmic.exe
Token: SeRemoteShutdownPrivilege	5004	wmic.exe
Token: SeUndockPrivilege	5004	wmic.exe
Token: SeManageVolumePrivilege	5004	wmic.exe
Token: 33	5004	wmic.exe
Token: 34	5004	wmic.exe
Token: 35	5004	wmic.exe
Token: 36	5004	wmic.exe
Token: SeIncreaseQuotaPrivilege	5004	wmic.exe
Token: SeSecurityPrivilege	5004	wmic.exe
Token: SeTakeOwnershipPrivilege	5004	wmic.exe
Token: SeLoadDriverPrivilege	5004	wmic.exe
Token: SeSystemProfilePrivilege	5004	wmic.exe
Token: SeSystemtimePrivilege	5004	wmic.exe
Token: SeProfSingleProcessPrivilege	5004	wmic.exe
Token: SeIncBasePriorityPrivilege	5004	wmic.exe
Token: SeCreatePagefilePrivilege	5004	wmic.exe
Token: SeBackupPrivilege	5004	wmic.exe
Token: SeRestorePrivilege	5004	wmic.exe
Token: SeShutdownPrivilege	5004	wmic.exe
Token: SeDebugPrivilege	5004	wmic.exe
Token: SeSystemEnvironmentPrivilege	5004	wmic.exe
Token: SeRemoteShutdownPrivilege	5004	wmic.exe
Token: SeUndockPrivilege	5004	wmic.exe
Token: SeManageVolumePrivilege	5004	wmic.exe
Token: 33	5004	wmic.exe
Token: 34	5004	wmic.exe
Token: 35	5004	wmic.exe
Token: 36	5004	wmic.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 5004	956	setup.exe	79
PID 956 wrote to memory of 5004	956	setup.exe	79
PID 956 wrote to memory of 4872	956	setup.exe	81
PID 956 wrote to memory of 4872	956	setup.exe	81
PID 4872 wrote to memory of 3208	4872	cmd.exe	83
PID 4872 wrote to memory of 3208	4872	cmd.exe	83
PID 956 wrote to memory of 5060	956	setup.exe	84
PID 956 wrote to memory of 5060	956	setup.exe	84
PID 5060 wrote to memory of 3964	5060	cmd.exe	86
PID 5060 wrote to memory of 3964	5060	cmd.exe	86
PID 956 wrote to memory of 224	956	setup.exe	91
PID 956 wrote to memory of 224	956	setup.exe	91
PID 224 wrote to memory of 3616	224	powershell.exe	92
PID 224 wrote to memory of 3616	224	powershell.exe	92
PID 3616 wrote to memory of 3004	3616	zxr7KWdv7e.exe	94
PID 3616 wrote to memory of 3004	3616	zxr7KWdv7e.exe	94
PID 3004 wrote to memory of 932	3004	policyintroductoryov.exe	99
PID 3004 wrote to memory of 932	3004	policyintroductoryov.exe	99
PID 3004 wrote to memory of 2312	3004	policyintroductoryov.exe	100
PID 3004 wrote to memory of 2312	3004	policyintroductoryov.exe	100
PID 3004 wrote to memory of 2312	3004	policyintroductoryov.exe	100
PID 3004 wrote to memory of 2312	3004	policyintroductoryov.exe	100
PID 3004 wrote to memory of 2312	3004	policyintroductoryov.exe	100
PID 3004 wrote to memory of 2312	3004	policyintroductoryov.exe	100
PID 2312 wrote to memory of 3748	2312	policyintroductoryov.exe	101
PID 2312 wrote to memory of 3748	2312	policyintroductoryov.exe	101
PID 2312 wrote to memory of 3952	2312	policyintroductoryov.exe	103
PID 2312 wrote to memory of 3952	2312	policyintroductoryov.exe	103
PID 3952 wrote to memory of 4924	3952	cmd.exe	105
PID 3952 wrote to memory of 4924	3952	cmd.exe	105
PID 3952 wrote to memory of 4820	3952	cmd.exe	106
PID 3952 wrote to memory of 4820	3952	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\system32\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- C:\Windows\system32\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\zxr7KWdv7e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\zxr7KWdv7e.exe
    "C:\Users\Admin\AppData\Local\Temp\zxr7KWdv7e.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:932
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5270.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:4924
        
        C:\ProgramData\Microsoft\MIDNAUHE.exe
        
        "C:\ProgramData\Microsoft\MIDNAUHE.exe"
        7⤵
        Executes dropped EXE
        
        PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MIDNAUHE.exe

Filesize
203.8MB

MD5
c2ed376147e6a1aa114458aabb62074c

SHA1
83812be0c85e742b264ce2af8208b604de68714f

SHA256
fd36e30260a7f7a31622f8d345de16ed433ea8e1a4fcea46eb9f42d9aeb0349d

SHA512
12c26445126f9ca457fec4bb39ac170be256709b883d820caf1c70107ee56f169ea52a47b9a2709302e1744d442a1b46981f48bd2913286621f91f0dfa755769

Download Submit
C:\ProgramData\Microsoft\MIDNAUHE.exe

Filesize
196.2MB

MD5
e18be0fdb02c435b9c25159d37819906

SHA1
f53336f9d4a55f85a02d14ee62ad014af1fec638

SHA256
e08b05f26684f7fe91306062ab07cf2cb7acef7c77e944ea0a3fc8c7f7d70715

SHA512
05e11c5a68f0c885f6b068714f8011b3c61e756e2c4fb3e3afc5ee5db6a2363ac58e138d26586f13d03c6c42e72681e6e8d2a066edeb2dc46615ce8e2c9f6e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\policyintroductoryov.exe.log

Filesize
1KB

MD5
1d35832a5dffff9f6b8b8bf1afe49e22

SHA1
3e5a0a843a954ee61e78813ede5f9c9e0f22199e

SHA256
cd69818b4c7223a79498e2706cd488ea3619388e6ce3de950bd1cca1ffeb40d3

SHA512
356c3b815a410939b2ab55198ba043125fce24ac2518e56b548d924c4fec1a617169819c76c11188143476d20bc117577fb92b89524ec84dba029d0049b4b784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe

Filesize
357.6MB

MD5
9cac86ba6401ceec99e64adc76922684

SHA1
2a79d539a701ad8d9f36c931e32a550d29718ac2

SHA256
35695ee171cad89e3378abad9e5fa24c26a8b467ef9d3115277d8d981d23712c

SHA512
097d36d45251b950a6b0e7e8e68fa86dfbdfb8d1cb87832ba81cf47c0cabc6e4e85e9c3b18dfc08078f7c8f9b08ec8787938c0dd096e315a44148d7166f0adce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe

Filesize
357.6MB

MD5
9cac86ba6401ceec99e64adc76922684

SHA1
2a79d539a701ad8d9f36c931e32a550d29718ac2

SHA256
35695ee171cad89e3378abad9e5fa24c26a8b467ef9d3115277d8d981d23712c

SHA512
097d36d45251b950a6b0e7e8e68fa86dfbdfb8d1cb87832ba81cf47c0cabc6e4e85e9c3b18dfc08078f7c8f9b08ec8787938c0dd096e315a44148d7166f0adce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe

Filesize
357.5MB

MD5
ad1c2b9180d4527ea2e4cac0bfcc70c2

SHA1
bcf1f2f9a1916c74ae0fabf70b8459fc0b1bfc67

SHA256
5a294a251842cc8b54e9154d8f85276ebfb2cfbd848fc584291c51c4ca56f692

SHA512
2fb541c7d8c8e2df106a2830178a1fd1b8300ee0a05b000b3de4658a45ba40c8141e5f9a830987fae0d7a4587106bf51c25d5949ea4c2d5848d5edda1fb13e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5270.tmp.bat

Filesize
146B

MD5
6bf57b6bf6874661aee93aca9af1dc79

SHA1
b1798c73c8da4b7942c29c0b99d80f5a930ff50f

SHA256
8db6d22c8237f5a5b1a4f97b80681deea7b440219a2d707ac78b7ffb794d9090

SHA512
ddb66a3b890e1d1e908798d1ee7a66883f41b298858908733f64730ce6cd21e2e394a14b96662e38e35584c819b1596dfbee357e645686942774dfa0d25c4c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxr7KWdv7e.exe

Filesize
1.7MB

MD5
238a69aa001a8f4801f018863fa06a7c

SHA1
809b9edf1e948c7aff5443b446d240d3ee80226c

SHA256
8e24e96e1e87cf00e27c3a3745414636fbf6e148077c0f6815a2b87bacf85c8d

SHA512
60573a5a53bb7f8a3d60efa915a94acb46f17ef4ca8eb1b778ac0719af98f67010aeef964e2afe45c8cb07e946c96546f2a350ab9402efd5ae265d4cdd5a2f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxr7KWdv7e.exe

Filesize
1.7MB

MD5
238a69aa001a8f4801f018863fa06a7c

SHA1
809b9edf1e948c7aff5443b446d240d3ee80226c

SHA256
8e24e96e1e87cf00e27c3a3745414636fbf6e148077c0f6815a2b87bacf85c8d

SHA512
60573a5a53bb7f8a3d60efa915a94acb46f17ef4ca8eb1b778ac0719af98f67010aeef964e2afe45c8cb07e946c96546f2a350ab9402efd5ae265d4cdd5a2f3c

Download Submit
memory/224-142-0x00007FFE1C180000-0x00007FFE1CC41000-memory.dmp

Filesize
10.8MB

Download
memory/224-138-0x0000027A27270000-0x0000027A27292000-memory.dmp

Filesize
136KB

Download
memory/932-154-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/932-153-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/932-150-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-155-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2312-168-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-183-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-177-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-175-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-174-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-172-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-169-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-160-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-162-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-163-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-164-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/2312-166-0x0000000000402000-0x00000000004D1200-memory.dmp

Filesize
828KB

Download
memory/3004-159-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-152-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-146-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-147-0x0000000000B40000-0x0000000000FF2000-memory.dmp

Filesize
4.7MB

Download
memory/3748-181-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-179-0x00007FFE1BEE0000-0x00007FFE1C9A1000-memory.dmp

Filesize
10.8MB

Download