Analysis
-
max time kernel
187s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 19:13
Behavioral task
behavioral1
Sample
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe
Resource
win10v2004-20220812-en
General
-
Target
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe
-
Size
175KB
-
MD5
4478d63bfa4ba7eedfbbdbb01e675286
-
SHA1
c90eaec956002d5ddfcd7b2ce0510ee93fad8290
-
SHA256
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212
-
SHA512
995b0da360ba473fa77a2d5d532e96f336c0987392e0af8e3f745a6dcc1924246d7f95500b1ad91655b72a70acab16a4ba2a3ed399de56c1e23302d48f412369
-
SSDEEP
3072:JYNQKPWDyaRefVJltZrpRl1P3KflMPp8GvYLT3V7qlqL8jGOQpIPpnt+HT5WQ8Ai:yNSDyaRO1thpMflMPS1TVmML8jBQWVY8
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1752-55-0x0000000001000000-0x0000000001055000-memory.dmp upx behavioral1/memory/1752-96-0x0000000001000000-0x0000000001055000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exedescription ioc process File opened (read-only) \??\G: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\K: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\M: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\R: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\S: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\Y: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\F: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\H: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\W: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\E: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\I: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\J: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\L: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\Q: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\U: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\Z: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\N: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\O: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\P: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\T: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\V: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened (read-only) \??\X: 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe -
Drops file in System32 directory 21 IoCs
Processes:
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File created \??\c:\windows\SysWOW64\msiexec.vir 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File created \??\c:\windows\SysWOW64\dllhost.vir 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File created \??\c:\windows\SysWOW64\svchost.vir 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File created \??\c:\windows\SysWOW64\searchindexer.vir 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe -
Drops file in Program Files directory 15 IoCs
Processes:
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exedescription ioc process File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification C:\Program Files\7-Zip\7z.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File created C:\Program Files\7-Zip\Uninstall.vir 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe -
Drops file in Windows directory 12 IoCs
Processes:
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exedllhost.exedescription ioc process File opened for modification \??\c:\windows\ehome\ehsched.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E75F1626-AE8D-48EF-849A-E04C7EF255A8}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E75F1626-AE8D-48EF-849A-E04C7EF255A8}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
SearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exemsiexec.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1752 4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe Token: SeRestorePrivilege 1772 msiexec.exe Token: SeTakeOwnershipPrivilege 1772 msiexec.exe Token: SeSecurityPrivilege 1772 msiexec.exe Token: SeManageVolumePrivilege 468 SearchIndexer.exe Token: 33 468 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 468 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
SearchProtocolHost.exepid process 304 SearchProtocolHost.exe 304 SearchProtocolHost.exe 304 SearchProtocolHost.exe 304 SearchProtocolHost.exe 304 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 468 wrote to memory of 304 468 SearchIndexer.exe SearchProtocolHost.exe PID 468 wrote to memory of 304 468 SearchIndexer.exe SearchProtocolHost.exe PID 468 wrote to memory of 304 468 SearchIndexer.exe SearchProtocolHost.exe PID 468 wrote to memory of 340 468 SearchIndexer.exe SearchFilterHost.exe PID 468 wrote to memory of 340 468 SearchIndexer.exe SearchFilterHost.exe PID 468 wrote to memory of 340 468 SearchIndexer.exe SearchFilterHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe"C:\Users\Admin\AppData\Local\Temp\4d18734b0832e0cf91fdf3176fabf2a8344912a979d66066a14cdddd82036212.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2292972927-2705560509-2768824231-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/304-94-0x0000000000000000-mapping.dmp
-
memory/340-95-0x0000000000000000-mapping.dmp
-
memory/468-57-0x0000000002970000-0x0000000002980000-memory.dmpFilesize
64KB
-
memory/468-73-0x0000000002A70000-0x0000000002A80000-memory.dmpFilesize
64KB
-
memory/468-89-0x0000000003E70000-0x0000000003E78000-memory.dmpFilesize
32KB
-
memory/468-92-0x0000000003E70000-0x0000000003E78000-memory.dmpFilesize
32KB
-
memory/468-93-0x0000000003ED0000-0x0000000003ED8000-memory.dmpFilesize
32KB
-
memory/1752-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1752-55-0x0000000001000000-0x0000000001055000-memory.dmpFilesize
340KB
-
memory/1752-96-0x0000000001000000-0x0000000001055000-memory.dmpFilesize
340KB
-
memory/1772-56-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmpFilesize
8KB