8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd

Analysis

max time kernel
156s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe
Size

1.8MB
MD5

2d0545afe968c261aabb2bc60eed6f99
SHA1

45a7fc5a434c2bce192c42d4f1861ffdcf04bfad
SHA256

8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd
SHA512

10638a7aaa071c44b556242fba82f95eb1b005a9cc41ff2f168a0357b5e1b95f61de13bafa4fb3f8ae98e2c0ebf72b41097a007bd202a56d0020d5a06fb891d6
SSDEEP

49152:tkiXmqBxMJ2i14eBT+BBrCYIFeC5jEwSsQs54uEe:W4txMJ714eh+b2Fpu+QCUe

Score

8^/10

collection discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

svchost.exeexplorer.exetvplayer4.9.1.0.exetvplayer4.9.1.0.tmp

pid process

2664 svchost.exe
1804 explorer.exe
4320 tvplayer4.9.1.0.exe
4756 tvplayer4.9.1.0.tmp

pid	process
2664	svchost.exe
1804	explorer.exe
4320	tvplayer4.9.1.0.exe
4756	tvplayer4.9.1.0.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	svchost.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\reset5e.dll svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\reset5e.dll	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4708	4552	WerFault.exe	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe
1952	2664	WerFault.exe	svchost.exe
920	1804	WerFault.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exeexplorer.exe

pid process

2664 svchost.exe
2664 svchost.exe
1804 explorer.exe
1804 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 2664 svchost.exe
Token: SeDebugPrivilege 1804 explorer.exe

pid	process
2664	svchost.exe
2664	svchost.exe
1804	explorer.exe
1804	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2664	svchost.exe
Token: SeDebugPrivilege	1804	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exetvplayer4.9.1.0.exesvchost.exe

description	pid	process	target process
PID 4552 wrote to memory of 2224	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	cmd.exe
PID 4552 wrote to memory of 2224	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	cmd.exe
PID 4552 wrote to memory of 2224	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	cmd.exe
PID 4552 wrote to memory of 2664	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	svchost.exe
PID 4552 wrote to memory of 2664	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	svchost.exe
PID 4552 wrote to memory of 2664	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	svchost.exe
PID 4552 wrote to memory of 1804	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	explorer.exe
PID 4552 wrote to memory of 1804	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	explorer.exe
PID 4552 wrote to memory of 1804	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	explorer.exe
PID 4552 wrote to memory of 4320	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	tvplayer4.9.1.0.exe
PID 4552 wrote to memory of 4320	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	tvplayer4.9.1.0.exe
PID 4552 wrote to memory of 4320	4552	8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe	tvplayer4.9.1.0.exe
PID 4320 wrote to memory of 4756	4320	tvplayer4.9.1.0.exe	tvplayer4.9.1.0.tmp
PID 4320 wrote to memory of 4756	4320	tvplayer4.9.1.0.exe	tvplayer4.9.1.0.tmp
PID 4320 wrote to memory of 4756	4320	tvplayer4.9.1.0.exe	tvplayer4.9.1.0.tmp
PID 2664 wrote to memory of 612	2664	svchost.exe	winlogon.exe
PID 2664 wrote to memory of 2104	2664	svchost.exe	cmd.exe
PID 2664 wrote to memory of 2104	2664	svchost.exe	cmd.exe
PID 2664 wrote to memory of 2104	2664	svchost.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe
"C:\Users\Admin\AppData\Local\Temp\8f8013947ab178588588fe7505cdea3514b2c7494a3cd6e0b61717b5395699cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 220
2⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0906490.bat" "
2⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 224
3⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 220
3⤵
- Program crash
PID:920

C:\Users\Admin\AppData\Local\Temp\tvplayer4.9.1.0.exe
"C:\Users\Admin\AppData\Local\Temp\tvplayer4.9.1.0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\Temp\is-K6199.tmp\tvplayer4.9.1.0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K6199.tmp\tvplayer4.9.1.0.tmp" /SL5="$B0118,1419068,53248,C:\Users\Admin\AppData\Local\Temp\tvplayer4.9.1.0.exe"
3⤵
- Executes dropped EXE
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4552 -ip 4552
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2664 -ip 2664
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1804 -ip 1804
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0906490.bat

Filesize
15B

MD5
941e66c908cabb0f803f68c5549ad4f8

SHA1
3cb78031b511cd2a972ae6290f3febb2abbc546a

SHA256
66e83aff0c39680bef61da943685e3077e605769be17c781c398fff6c712f15e

SHA512
7575483ce0a8a1fb95bdd0c077840f56740b2e69297a67ae04ab04e283f184a1b8efde46ec4eeeadee041b3c751d9d11ab95963fbeb55ef70b3dffdb27ec545a

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
71KB

MD5
336e0cc8b4f22ee67c087f8df948b987

SHA1
7bf87db059e3a93a0f317b3ecc5661beeef85efd

SHA256
f642df1f8f32627d072639b46d8d942aded99d50ab438fcda45e16ed181d5cfb

SHA512
8cd546f3ad43e5003eea9f765037568d3d9ec12b05a72f317ce405c9698f794085fbee065a51b5ba9f3c2b0fbd30468b9f0047173217ceb54f02b16914e5c93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
71KB

MD5
336e0cc8b4f22ee67c087f8df948b987

SHA1
7bf87db059e3a93a0f317b3ecc5661beeef85efd

SHA256
f642df1f8f32627d072639b46d8d942aded99d50ab438fcda45e16ed181d5cfb

SHA512
8cd546f3ad43e5003eea9f765037568d3d9ec12b05a72f317ce405c9698f794085fbee065a51b5ba9f3c2b0fbd30468b9f0047173217ceb54f02b16914e5c93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K6199.tmp\tvplayer4.9.1.0.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K6199.tmp\tvplayer4.9.1.0.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
49KB

MD5
534517313f621212fe89551656b15118

SHA1
aa8cab2f141d7b84d81b44b7669407f1c6a2283e

SHA256
af38ba08a9acd1b187ac8a2ac34f305f5a87f5ced4eeda1a8784766374379870

SHA512
c2d127c36aa6c7bff3683f2a4c866c7dfdc7d9b916038437b408fe665c2315434371f337ab1df16380156f7b4cfedf5e3aa79e62d64164ab63fb463fe916858b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
49KB

MD5
534517313f621212fe89551656b15118

SHA1
aa8cab2f141d7b84d81b44b7669407f1c6a2283e

SHA256
af38ba08a9acd1b187ac8a2ac34f305f5a87f5ced4eeda1a8784766374379870

SHA512
c2d127c36aa6c7bff3683f2a4c866c7dfdc7d9b916038437b408fe665c2315434371f337ab1df16380156f7b4cfedf5e3aa79e62d64164ab63fb463fe916858b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvplayer4.9.1.0.exe

Filesize
1.6MB

MD5
12a563c9ab7a12cf938f9e938cd08010

SHA1
b4d76d55be6cc42a1ae285719414e14449c08659

SHA256
55277060fe533cfd68c8d03c2e9b206333bd5b83724e3287a7b232f293202bae

SHA512
7605cb0ffe6d48ceac6816b2d399484fb2531ff8e7b38e0375a4e523b50c17b00c1ff0c1ea195c842ff2bba8b273547058bd43cedcec33dd112b13348ff0399a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvplayer4.9.1.0.exe

Filesize
1.6MB

MD5
12a563c9ab7a12cf938f9e938cd08010

SHA1
b4d76d55be6cc42a1ae285719414e14449c08659

SHA256
55277060fe533cfd68c8d03c2e9b206333bd5b83724e3287a7b232f293202bae

SHA512
7605cb0ffe6d48ceac6816b2d399484fb2531ff8e7b38e0375a4e523b50c17b00c1ff0c1ea195c842ff2bba8b273547058bd43cedcec33dd112b13348ff0399a

Download Submit
memory/1804-141-0x0000000000000000-mapping.dmp

Download
memory/1804-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1804-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1804-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-158-0x0000000000000000-mapping.dmp

Download
memory/2224-135-0x0000000000000000-mapping.dmp

Download
memory/2664-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2664-136-0x0000000000000000-mapping.dmp

Download
memory/2664-159-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2664-157-0x0000000000570000-0x0000000000574000-memory.dmp

Filesize
16KB

Download
memory/2664-156-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2664-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4320-144-0x0000000000000000-mapping.dmp

Download
memory/4320-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4320-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4320-161-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4552-132-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4552-147-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4552-134-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4552-133-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/4756-152-0x0000000000000000-mapping.dmp

Download