1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe
Size

298KB
MD5

adef2c0c750596d0fb186fe109ace126
SHA1

f0903f28e933ffe8e87c9e5ab447eabbfc9ca3d4
SHA256

1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8
SHA512

a485a184a8ba7d5e04df1bace170490ecf5d687a7ca6d96a0dfb3e6a12d818020b232b4accb065d868f0aa928f58a8949591473c698f3cac0c1258e853219134
SSDEEP

6144:gSFUXrX1/anm/1VSWM+Y1xtvtM8yA6AtwnLg5mqLRU4okFtSee2WN3rCV:gOUj1/aC1V1VmFt39yEYURU49R14rCV

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
568	system.exe
1452	system.exe

Loads dropped DLL 3 IoCs

pid	Process
1232	wscript.exe
1232	wscript.exe
568	system.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemScript = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemScript = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\system.exe\""	system.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlgdemkdapolikbjimjajpmonpbpmipk\1.0_0\manifest.json	system.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 568 set thread context of 1452	568	system.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
568	system.exe
568	system.exe
1452	system.exe
1452	system.exe
1452	system.exe
1452	system.exe
1452	system.exe
1452	system.exe
1452	system.exe
1452	system.exe
1452	system.exe
1452	system.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1232	1652	1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe	27
PID 1652 wrote to memory of 1232	1652	1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe	27
PID 1652 wrote to memory of 1232	1652	1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe	27
PID 1652 wrote to memory of 1232	1652	1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe	27
PID 1652 wrote to memory of 1232	1652	1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe	27
PID 1652 wrote to memory of 1232	1652	1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe	27
PID 1652 wrote to memory of 1232	1652	1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe	27
PID 1232 wrote to memory of 568	1232	wscript.exe	29
PID 1232 wrote to memory of 568	1232	wscript.exe	29
PID 1232 wrote to memory of 568	1232	wscript.exe	29
PID 1232 wrote to memory of 568	1232	wscript.exe	29
PID 1232 wrote to memory of 568	1232	wscript.exe	29
PID 1232 wrote to memory of 568	1232	wscript.exe	29
PID 1232 wrote to memory of 568	1232	wscript.exe	29
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 568 wrote to memory of 1452	568	system.exe	30
PID 1452 wrote to memory of 288	1452	system.exe	31
PID 1452 wrote to memory of 288	1452	system.exe	31
PID 1452 wrote to memory of 288	1452	system.exe	31
PID 1452 wrote to memory of 288	1452	system.exe	31
PID 1452 wrote to memory of 288	1452	system.exe	31
PID 1452 wrote to memory of 288	1452	system.exe	31
PID 1452 wrote to memory of 288	1452	system.exe	31
PID 1452 wrote to memory of 852	1452	system.exe	33
PID 1452 wrote to memory of 852	1452	system.exe	33
PID 1452 wrote to memory of 852	1452	system.exe	33
PID 1452 wrote to memory of 852	1452	system.exe	33
PID 1452 wrote to memory of 852	1452	system.exe	33
PID 1452 wrote to memory of 852	1452	system.exe	33
PID 1452 wrote to memory of 852	1452	system.exe	33

C:\Users\Admin\AppData\Local\Temp\1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe
"C:\Users\Admin\AppData\Local\Temp\1c5671b999e70ad84e2ba6ffea357c8d9bb83f9e8ad667c8dc2d81133f0806d8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" tall.vbs
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops Chrome extension
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /delete /tn SystemScript /f
        5⤵
        
        PID:288
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /tn SystemScript /tr ""C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe"" /sc ONLOGON /f
        5⤵
        Creates scheduled task(s)
        
        PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe

Filesize
262KB

MD5
dee88251f5329b8a8b0a9a6dc76294f0

SHA1
3ec84f1851e9fcf7a0026c818b9661c96ae589a1

SHA256
de303b45ae378c6cb9a0f21fceb9792e2cbfee1c12a065f1a3cecb7b9b5f55a1

SHA512
24579aafbd5e01b831750214c8170945ff74830de258536636d084fd85663931135933b9416324be8415931ef6b3af147bd9f8c048be3751b3f7ef2cd6ba1806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe

Filesize
262KB

MD5
dee88251f5329b8a8b0a9a6dc76294f0

SHA1
3ec84f1851e9fcf7a0026c818b9661c96ae589a1

SHA256
de303b45ae378c6cb9a0f21fceb9792e2cbfee1c12a065f1a3cecb7b9b5f55a1

SHA512
24579aafbd5e01b831750214c8170945ff74830de258536636d084fd85663931135933b9416324be8415931ef6b3af147bd9f8c048be3751b3f7ef2cd6ba1806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\system.exe

Filesize
262KB

MD5
dee88251f5329b8a8b0a9a6dc76294f0

SHA1
3ec84f1851e9fcf7a0026c818b9661c96ae589a1

SHA256
de303b45ae378c6cb9a0f21fceb9792e2cbfee1c12a065f1a3cecb7b9b5f55a1

SHA512
24579aafbd5e01b831750214c8170945ff74830de258536636d084fd85663931135933b9416324be8415931ef6b3af147bd9f8c048be3751b3f7ef2cd6ba1806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\windows.zpx

Filesize
104KB

MD5
6f806b5954d057b8beb4fa9407885a07

SHA1
ebee7cfe3227e702b5dd337d1ba2400f0e5e88b7

SHA256
706dc075630b4a171df48d7de2b9bf268110616d1ed6cb485dfd988ba7235135

SHA512
ba0447f55779e6bf16fd5cf876d2cbfd1a5b7c5f2dc82c42d1d669d04ff242e6266fd135a70e48c0f1945aee7680359b26d5b5d1038e0564ffc1b54ce690d3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dows.zpz

Filesize
104KB

MD5
6f806b5954d057b8beb4fa9407885a07

SHA1
ebee7cfe3227e702b5dd337d1ba2400f0e5e88b7

SHA256
706dc075630b4a171df48d7de2b9bf268110616d1ed6cb485dfd988ba7235135

SHA512
ba0447f55779e6bf16fd5cf876d2cbfd1a5b7c5f2dc82c42d1d669d04ff242e6266fd135a70e48c0f1945aee7680359b26d5b5d1038e0564ffc1b54ce690d3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tall.vbs

Filesize
1KB

MD5
c41856dd8af124567021826d6a1a2a36

SHA1
2c69cc44fb68e48e5838945a54fce1f04507a8d3

SHA256
81726dadc83c5a09acae6f0170b934ba009644f8427c19ba8d4851798740d704

SHA512
6b4f5638ffc05049fefdd6c68eb8e3dd39ac6d93b45ba0d3afaddd23ad06af32d638049c4e77b1f8d7ca3f4b2f8dec5a491fee2a0d54d1fe78bb5839f6322c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tem.vbc

Filesize
262KB

MD5
dee88251f5329b8a8b0a9a6dc76294f0

SHA1
3ec84f1851e9fcf7a0026c818b9661c96ae589a1

SHA256
de303b45ae378c6cb9a0f21fceb9792e2cbfee1c12a065f1a3cecb7b9b5f55a1

SHA512
24579aafbd5e01b831750214c8170945ff74830de258536636d084fd85663931135933b9416324be8415931ef6b3af147bd9f8c048be3751b3f7ef2cd6ba1806

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\system.exe

Filesize
262KB

MD5
dee88251f5329b8a8b0a9a6dc76294f0

SHA1
3ec84f1851e9fcf7a0026c818b9661c96ae589a1

SHA256
de303b45ae378c6cb9a0f21fceb9792e2cbfee1c12a065f1a3cecb7b9b5f55a1

SHA512
24579aafbd5e01b831750214c8170945ff74830de258536636d084fd85663931135933b9416324be8415931ef6b3af147bd9f8c048be3751b3f7ef2cd6ba1806

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\system.exe

Filesize
262KB

MD5
dee88251f5329b8a8b0a9a6dc76294f0

SHA1
3ec84f1851e9fcf7a0026c818b9661c96ae589a1

SHA256
de303b45ae378c6cb9a0f21fceb9792e2cbfee1c12a065f1a3cecb7b9b5f55a1

SHA512
24579aafbd5e01b831750214c8170945ff74830de258536636d084fd85663931135933b9416324be8415931ef6b3af147bd9f8c048be3751b3f7ef2cd6ba1806

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\system.exe

Filesize
262KB

MD5
dee88251f5329b8a8b0a9a6dc76294f0

SHA1
3ec84f1851e9fcf7a0026c818b9661c96ae589a1

SHA256
de303b45ae378c6cb9a0f21fceb9792e2cbfee1c12a065f1a3cecb7b9b5f55a1

SHA512
24579aafbd5e01b831750214c8170945ff74830de258536636d084fd85663931135933b9416324be8415931ef6b3af147bd9f8c048be3751b3f7ef2cd6ba1806

Download Submit
memory/568-78-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/1452-67-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-74-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-68-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-73-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-80-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-82-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-71-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1652-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download