Overview

overview

10

Static

static

90645c9882...fe.exe

windows7-x64

8

90645c9882...fe.exe

windows10-2004-x64

Analysis

  • max time kernel
    55s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:17

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe

  • Size

    973KB

  • MD5

    c66f140df79c28dbcb79511467400d7e

  • SHA1

    5ef2b80388644c8c3e7cf4a30190531a0398ddfc

  • SHA256

    90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe

  • SHA512

    3567e045f0258a0698dceeebfa3be11c7ced260d3e5c393b62a761ea0d7833ce291cc1827672627b26e096866bc78b48667d53db6d268118dc8fcfb4302c9ed2

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:668
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\MeRbFe5wZWB1I8P.bat
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\MeRbFe5wZWB1I8P.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
    • C:\Users\Admin\AppData\Local\Temp\90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe
      "C:\Users\Admin\AppData\Local\Temp\90645c98826d0a5b416357943b8d05ce983c233a6834018c0fcb69bf08474cfe.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3980855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:3904
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\MeRbFe5wZWB1I8P.bat
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\MeRbFe5wZWB1I8P.bat" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1072

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage\TMy8mo7KdSk4udRUhWVUw64O2OujQRp3oSupXIf6lA4LQwg661YcMjqDoLEV.cmd
      Filesize

      1.9MB

      MD5

      aada0cc515208e5812c369884f58cceb

      SHA1

      8ad567dc10a1e69af001e70fbf145097ccfdd614

      SHA256

      5bc61b493431f5aaf5c6989d8ebb6a7d0443c709c6463965860124b2c4d5bdb0

      SHA512

      a3f26ff54e350b4b7aca7899e9b4ca91b5a21c82ecedc6e13b6ab175b7100d39160afa94f00c94b151236f59706008ff270aa9b85f96b2957a5ce56b75332bca

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\es-SV\NKqbAFMWuuYei6czd48rBYYHbi4GWNGQG22L.exe
      Filesize

      1.6MB

      MD5

      f40a67767e3f878caf457cac4ddb7b0a

      SHA1

      7823fcdf86dae998c355fabf43df15cf90a3c2dd

      SHA256

      95b21f12b54127a3793783f3951ed87858016ed1f12d3b1cf8151ebaca2179ee

      SHA512

      311e94c94ea25440e206edbb6bb5ccefc436f15958b2c44c86d5f25b6e6784a6248ba2f1fd42c258bead13e959ab03c615adbab84970b9077636a94781df5357

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\fr-ML\uWsA5tuCZlaFLvXTRlGgmzT35ZIBCXsPgK2gk3oIa.exe
      Filesize

      1.3MB

      MD5

      e6e5e61d8e9eceabebc67676ebdf8215

      SHA1

      8ec558746c60a7bd246b6ccd872b8e9f66f38468

      SHA256

      1f6badd6a2a8dafd733a1e92619f37b7e5ecc102aa82c28f0bdacfc46f3d63b1

      SHA512

      802461ee064702b240588cbbabd964e9c3aab117858777e495d30dc6c3c821613fdaa9decfb92c1862ce160a5b1d4cbe054d6b85557731f880381d8dc50c923a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\ms-BN\QZgXvlUtJg2q1EkbTB.exe
      Filesize

      1.5MB

      MD5

      c40bb1360aa1843b9313be40a96af453

      SHA1

      46e7c86ba0fe4ba43ea4b1061320ece00ecd26bd

      SHA256

      fb4b92d8dd781588c38286d1ccdca05d6f27199af82e00272f1e59b566a32e0f

      SHA512

      298229bea2803a6a7cf9684d5d9a4ab620c2288aea3eabd6f9b13866685392cacd3b95ac0a52514759fc1bd8bdb8f90cdb4523861769dbea07ee358143a8e834

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\INetHistory\xfP9dBbOggaQmVVYNbs3rYCgObrwxA0kFwoHcpGvIi.exe
      Filesize

      1.3MB

      MD5

      4058e530ef90ad776a23890c1cc1bf8b

      SHA1

      ba5689ac8c4be9d424444a417c4e75f0e6be9e30

      SHA256

      62578faf9bcc1310475c93182fced42f394728fe3274c179f9c6eebaf6273cdc

      SHA512

      2ef0a07411925db85234591ba65a7b1983509794cdc4be78c8290dd73da45b6842b4e43b84110464a9fa0494e2bbf360f80f618ee2b73d70af06d16a0149b331

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\MeRbFe5wZWB1I8P.bat
      Filesize

      1.8MB

      MD5

      75e27f919e9ec3f72604870f93241640

      SHA1

      388ea420c2a88840edefccda20bac5f5ba4fbe8d

      SHA256

      b2cd421743c4f89459746d9153199a4e0284b1ccdd3850bcabe7f370195f448f

      SHA512

      a3f4c45d2ec79f1be8278e703fd675ad7538aebbe99148ad965e65c90f9150ef2a1f0510189a45e8a27ddc55df8cabb8b2ce50268b6f2db44998d797edb6ad2a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\MeRbFe5wZWB1I8P.bat
      Filesize

      1.8MB

      MD5

      75e27f919e9ec3f72604870f93241640

      SHA1

      388ea420c2a88840edefccda20bac5f5ba4fbe8d

      SHA256

      b2cd421743c4f89459746d9153199a4e0284b1ccdd3850bcabe7f370195f448f

      SHA512

      a3f4c45d2ec79f1be8278e703fd675ad7538aebbe99148ad965e65c90f9150ef2a1f0510189a45e8a27ddc55df8cabb8b2ce50268b6f2db44998d797edb6ad2a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\AppData\MeRbFe5wZWB1I8P.bat
      Filesize

      1.8MB

      MD5

      75e27f919e9ec3f72604870f93241640

      SHA1

      388ea420c2a88840edefccda20bac5f5ba4fbe8d

      SHA256

      b2cd421743c4f89459746d9153199a4e0284b1ccdd3850bcabe7f370195f448f

      SHA512

      a3f4c45d2ec79f1be8278e703fd675ad7538aebbe99148ad965e65c90f9150ef2a1f0510189a45e8a27ddc55df8cabb8b2ce50268b6f2db44998d797edb6ad2a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\9O2FG8Bu7QmgN0F6LS2h7x6TpL0Q6RFWPw8cg58.exe
      Filesize

      1.1MB

      MD5

      06590bced6d797e96d5ec37009b59fde

      SHA1

      28a5780b4518d377cad665be6434cc0584dca6c8

      SHA256

      96baa46b55bf39b6e6262debff805cf968014a3c54492871bd6304ac6c2decd3

      SHA512

      b5fc2fa5ab2d31f4b72dee148b76b0a8751322861e0340f6ef049944c1af599d4a294e7b9bb80e50e8bc6ba95a669f9ccc255b3a86169d43a5e94588900b68a3

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\Yrga0m4NdfzIpUmTbgPzESwC.bat
      Filesize

      2.1MB

      MD5

      94bda872d04c84fe3d6b6fbade974d73

      SHA1

      21c4313ac0ad000df8c9b1fdfef79f3592f8c395

      SHA256

      0f634488988fed19f3ef6f2e48271b2dde5ea44e0b42ebc95df1c4ea227d3bae

      SHA512

      408ffa2f3d347ed8eec7a85f813824ebc1fa756bfeba565bb402ab72b536943ee706bdf145c6bb634f0fdfd804eca6559b2e4f39ca2c4d4899ed47fd854c2bfc

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\lxjGJWxNZdmwFsHynWzxom8v2W5B6zXkcnqyVP1fPueZmCuQeWFJUaueP2R0jQ.exe
      Filesize

      989KB

      MD5

      d840f8d00565f7ab042884bfe23eb0a7

      SHA1

      60dc5e2b0e15788f466da4aee77e22b9e28e4a47

      SHA256

      16e6d348b7a7289bdfdfdf096545c16a2bdc8a5322d96116a1152a9984bf1edb

      SHA512

      4cd8c6295276518df9fd882d797a99be270201666c8c2a8c4fa8369fb4e88a950d5c0d1c629893655d45deddae8cb7cab1b602c5fba17e5113fd3fe5f58a7438

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\4SfJHfwmCZWN9smHUj.exe
      Filesize

      1.5MB

      MD5

      618ec196b4b2d2114c7e15267e009f7a

      SHA1

      a4538458931f75ad3ce7a79a5dd3cb4847a686d8

      SHA256

      e36b2c245d454aa78d4678812b72a32e69eaf3cb2907101baedd7579d4914966

      SHA512

      b418b5bb8e33b6a06c01ea6d2126617d62e43ec7ceb2eacc3ff171e6e50d1dc597b399db08842aa8f400a878a57d7eaa026fb9c206b51a85663290224b32a35a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\QHN2mCgvuTWuilvgfRsk6sh4qdrnLcfp9imqfTb78jxcc6.exe
      Filesize

      1.6MB

      MD5

      368b59cbf4025fed3967134a7696bc7b

      SHA1

      d85c21d8f7fab74f0695df4e5d740e5f84008475

      SHA256

      eeeb24a38742d8a3a6a1bfe9ad14f87cc71aaf2d7941562ffddb27890dcebce0

      SHA512

      d41c4a2d2a7074426fe6b6ad75661c5f5e313c6502c9e0bc79a0a52274218a7653d604a6e38c07880c989d4f13c6935d6f6401c9d560d676abf25c5e0328b36d

      Download Submit
    • memory/1072-137-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1072-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1072-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1072-134-0x0000000000000000-mapping.dmp
      Download
    • memory/1656-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1656-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1952-147-0x0000000000000000-mapping.dmp
      Download
    • memory/1952-152-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1952-153-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download