Overview

overview

8

Static

static

2991042209...6a.exe

windows7-x64

8

2991042209...6a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a.exe

  • Size

    418KB

  • MD5

    532bcaf110fd9157b62b41170e36f760

  • SHA1

    0a6e74eaf5ae9e57353c44532eeca59fbaa09f95

  • SHA256

    29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a

  • SHA512

    68df4eeec983cea5521de36b3ea5d415a34d3812c2da733e47694ad53db1c220cafbc1ead47fe20a85f26a21413c54fbd139e86fa37071da816dcc25cd17ee68

  • SSDEEP

    6144:CLf04a2B2qYwwL+XYZ64LtURDEZ/cSy3zFzTRNy+:CLza2NYww6XYZJabNL

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 14 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a.exe
    "C:\Users\Admin\AppData\Local\Temp\29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    PID:1888
  • C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\svchost.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\svchost.exe" -k netsvcs -s
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c netstat.exe -an >"C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\netstatan.txt"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat.exe -an
        3⤵
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:468
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c systeminfo.exe >"C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\sysinfo.txt"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\SysWOW64\systeminfo.exe
        systeminfo.exe
        3⤵
        • Gathers system information
        • Modifies data under HKEY_USERS
        PID:1644
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c tasklist.exe >"C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\tasklist.txt"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist.exe
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c tasklist.exe /SVC >"C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\tasklist.txt"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist.exe /SVC
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c dir /s C:\*.* >"C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\dirlistC.txt"
      2⤵
      • Drops file in System32 directory
      PID:1956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\microsoft shared\DAO\svchost.exe
    Filesize

    418KB

    MD5

    532bcaf110fd9157b62b41170e36f760

    SHA1

    0a6e74eaf5ae9e57353c44532eeca59fbaa09f95

    SHA256

    29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a

    SHA512

    68df4eeec983cea5521de36b3ea5d415a34d3812c2da733e47694ad53db1c220cafbc1ead47fe20a85f26a21413c54fbd139e86fa37071da816dcc25cd17ee68

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\netstatan.txt
    Filesize

    2KB

    MD5

    c0c893315626df2f6d771eeb4803f8ee

    SHA1

    8f2e51104648927e62ef84f3b69988ac7e2d2af0

    SHA256

    d8782c366ae11ebd9544dd31261b662b4ab48d79af9e243b795d81ca8f278e27

    SHA512

    bd0c144dc3f7b593785918afc56ed8d0add450f3670c4ef1ad7f0eab66ff3efb550c60a925281d467a69fbe70ad4e4ac6beb031f7af73149c855e1ea18e9b77f

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\sysinfo.txt
    Filesize

    2KB

    MD5

    09a9cf61089a75e7e3b47b1307ddf21e

    SHA1

    bea528e16fb877e5c2d44e385c6a7e238647eb09

    SHA256

    a303639f0653babc7d96d963d7ed028a95c738fb75b075777b7d2f33798ee6a6

    SHA512

    4067a4d5fa48f2639f0e6b32f7685b96f2804c2d05639a4663d81e382f643936e327c114348a6a8c9850028d78bdf4d7fb47b6b5fae48e17a759151a4483a634

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\tasklist.txt
    Filesize

    2KB

    MD5

    af7492264d05e2197b752724fc5cdeb9

    SHA1

    b7d465201b5cc3fff6d3a45074d2239bc907ac62

    SHA256

    871a0de6fb23027b61636cde84a88015f66ba79fa9bb10c05a3f00e3bd50c44e

    SHA512

    7d13f447428a6a63e5c0a6f2be2ea2a46cd34d7720398b675af29c4e847de1937c8f3b8ae15689993e61e10df5638f3905ec46ef262272f44de60dccac59f321

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\AddIns\InternalLog\D41D8CD98F00B204E9800998ECF8427E\RP71\tasklist.txt
    Filesize

    2KB

    MD5

    1b09613208952146461a3b130f65f414

    SHA1

    620830c211117ffc63ba1fdcdab92edffa5a40dd

    SHA256

    e6f055df03811acd767db03e499eacb973a3bb08192101aa529ccce691657635

    SHA512

    2b3910c6e6f068830258bfc2c3c75b82e5aeae64238035f2cb10ce2923ca1c259820ce5137439e824d7e2372c649a198e9d5f0385312c3bcb137f8fd93dbbc6f

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\DAO\svchost.exe
    Filesize

    418KB

    MD5

    532bcaf110fd9157b62b41170e36f760

    SHA1

    0a6e74eaf5ae9e57353c44532eeca59fbaa09f95

    SHA256

    29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a

    SHA512

    68df4eeec983cea5521de36b3ea5d415a34d3812c2da733e47694ad53db1c220cafbc1ead47fe20a85f26a21413c54fbd139e86fa37071da816dcc25cd17ee68

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\DAO\svchost.exe
    Filesize

    418KB

    MD5

    532bcaf110fd9157b62b41170e36f760

    SHA1

    0a6e74eaf5ae9e57353c44532eeca59fbaa09f95

    SHA256

    29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a

    SHA512

    68df4eeec983cea5521de36b3ea5d415a34d3812c2da733e47694ad53db1c220cafbc1ead47fe20a85f26a21413c54fbd139e86fa37071da816dcc25cd17ee68

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\DAO\svchost.exe
    Filesize

    418KB

    MD5

    532bcaf110fd9157b62b41170e36f760

    SHA1

    0a6e74eaf5ae9e57353c44532eeca59fbaa09f95

    SHA256

    29910422093c7e6ae57dae350cc60e24e17e0ef5bd84ea9b4680d122f7667d6a

    SHA512

    68df4eeec983cea5521de36b3ea5d415a34d3812c2da733e47694ad53db1c220cafbc1ead47fe20a85f26a21413c54fbd139e86fa37071da816dcc25cd17ee68

    Download Submit

  • memory/112-76-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/112-62-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1888-55-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1888-61-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1888-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

    Filesize

    8KB

    Download