Overview

overview

10

Static

static

b9b62d4efd...1f.exe

windows7-x64

b9b62d4efd...1f.exe

windows10-2004-x64

Analysis

  • max time kernel
    43s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:24

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    b9b62d4efd53a9866a2cd84c16172af87508ae35607cfe18e9fe85b0dc16c91f.exe

  • Size

    1.3MB

  • MD5

    16f59c62272b1343d309e3e1b0da7825

  • SHA1

    bf82748483677a98195cb23e4f69dd098085ccbb

  • SHA256

    b9b62d4efd53a9866a2cd84c16172af87508ae35607cfe18e9fe85b0dc16c91f

  • SHA512

    400fa1e99e5a35666cbfd34eb65c0eaff1a22f64d23ab4a6437f75f77082335c6b02e5c6776e3e51d652cd8b7eb602d707045bd6c1b42b5ae17746e4c793df70

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 60 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:584
      • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:924
    • C:\Users\Admin\AppData\Local\Temp\b9b62d4efd53a9866a2cd84c16172af87508ae35607cfe18e9fe85b0dc16c91f.exe
      "C:\Users\Admin\AppData\Local\Temp\b9b62d4efd53a9866a2cd84c16172af87508ae35607cfe18e9fe85b0dc16c91f.exe"
      1⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1744
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1860
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x484
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:276
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1672
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
            "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1924

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\gYx2F7ofU.exe
          Filesize

          1.4MB

          MD5

          d279d432848a6bbab204071552100f94

          SHA1

          45498861ba2092d54c3974a55bcbcddd2c571b8f

          SHA256

          7a00e9d4be348a443b754f15cf5d8c92f51066bf315f28e3d73aad45c3655f41

          SHA512

          e0b82ea628dbd241900bc47d18e4b0d5e0aa410ab9908d23d2c7e5f581f9ebb077a0f9e12385c7c3817597a0d2aff750982f2b218cd8186da0a8470860777625

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\NmkjbnWkQtdWrdIuRPdxuQWQ8Z2SRSMYJOwjP9Ws3I.exe
          Filesize

          2.9MB

          MD5

          2dc93c8a1c33e3e79200f9bddef56d74

          SHA1

          37ebf8a27a65ef9f80f5b6de1daeb2658f5af5e3

          SHA256

          088a3a1e525221512d294301803563c4f15ebe6069b03f5436bb872a786f3f2d

          SHA512

          7951f6bd7753af42cf98bda0891692ed798b2de32fc48a004844eb4926cd74a977b041c739519c52d45cf02b4992250b250d50aedde5eb9bf6b491067b756350

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\qkwf0r1DRFfcbbIPdMIiUstVXKY6hTjafZST3l3JanMSv.exe
          Filesize

          1.6MB

          MD5

          66f3068e9406a737160ff15852217278

          SHA1

          97ca7dc38a5c558d847ef2a57f800f3ed5560317

          SHA256

          8519abb30974ec8be0444f027ff1e3fe99c8ed7f692ec06c56c0964151f5ed43

          SHA512

          40af21817ee52a2ec66c8e4d495f319f14d06a4b99c2438d9959c43193c193d73e2f32ee68d3c2cc3a54028d8975ebe5579b28f532dcfdb6afe347ecc9087329

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
          Filesize

          1.9MB

          MD5

          b921c800e2fa6fa51a35a8876bb55512

          SHA1

          315ac53e6abb5ca63684a0ea5e92c446bb457ab4

          SHA256

          940cc5d54e3c1abc5bb25712086656d7d2445a46eee1d05397a1e430fe18a2b3

          SHA512

          3637c548129b7004e96b63427c6cc3900097df4ebec9d51ccfd75ae40924509080196a1bdeb2fdd28c097ca46504c2b677e7cf352d806d8abc5893392f93552f

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
          Filesize

          1.9MB

          MD5

          b921c800e2fa6fa51a35a8876bb55512

          SHA1

          315ac53e6abb5ca63684a0ea5e92c446bb457ab4

          SHA256

          940cc5d54e3c1abc5bb25712086656d7d2445a46eee1d05397a1e430fe18a2b3

          SHA512

          3637c548129b7004e96b63427c6cc3900097df4ebec9d51ccfd75ae40924509080196a1bdeb2fdd28c097ca46504c2b677e7cf352d806d8abc5893392f93552f

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
          Filesize

          1.9MB

          MD5

          b921c800e2fa6fa51a35a8876bb55512

          SHA1

          315ac53e6abb5ca63684a0ea5e92c446bb457ab4

          SHA256

          940cc5d54e3c1abc5bb25712086656d7d2445a46eee1d05397a1e430fe18a2b3

          SHA512

          3637c548129b7004e96b63427c6cc3900097df4ebec9d51ccfd75ae40924509080196a1bdeb2fdd28c097ca46504c2b677e7cf352d806d8abc5893392f93552f

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\jcLqKycdo3.exe
          Filesize

          2.1MB

          MD5

          9723ebb5d3086f1b1f1d660c1894dca5

          SHA1

          d19eb2d0e4539cd256f7b16cfd5a20366cb66243

          SHA256

          fb6dc81ecfebe69673b7e2e68371db9fb4af115ef6d5aa0196b1fab53fa8f878

          SHA512

          85c86ea432c02e6ddc5f9feaedc2b505d12891bcfe89fe5ac2ff44146c1f2c8b482e72a5cff704ceb933ddef886c20f98c781162dd471827af4489b847a85c81

          Download Submit
        • C:\Users\Admin\AppData\Local\KiwZ635tWtwQfwpSQtkPi0GqypPXNGQj3LxIiAv0phBTUG.exe
          Filesize

          1.9MB

          MD5

          03ac9f4ff9d2dbb14d588d227779f14d

          SHA1

          936e6fb3ec41a4b360a2d1d37a048a36c10fd2db

          SHA256

          977df18bdc35fdcf486e62066616c46d33b32744072c554fc910ec43f3862b3e

          SHA512

          5da231f68ae755357aedb685f6ff9fc48eef652ad863c0419e8f10def6d0ee8012f6013a0105f8ef9888f1192c4528efb3b1ea0960b189d5216b1e9b81ca6c81

          Download Submit
        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4gq1sglk.default-release\cache2\entries\nFlOHclhNAftqaTpx8THjKg.exe
          Filesize

          2.1MB

          MD5

          dea744f0aa75651723eb56865f83de73

          SHA1

          1d2538759bdde576a3f14ff64ffc3aad72dea14c

          SHA256

          b83c2c235f50f817e289681268e2d92a7185148cd2d3d1592a14313473d1ce02

          SHA512

          329cd417a4ad87dffbb35e07e44dc045b829980348e064c3d096f61f63d210110355066f3c57ca84b2e82d1b3d34398167c8e9db6bcfd974a16d327d348e3728

          Download Submit
        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4gq1sglk.default-release\thumbnails\foP8CRntXa35Qd6AwVrtxA5wrsiCkVFOVcM2oQ0QjaMLlRae7iGmIcjFN.exe
          Filesize

          1.9MB

          MD5

          5c5616d4bcf531bc9cffc8d1b9ac8807

          SHA1

          4f42daaaaeb9f1f3fd5d63ed01fcfecb2a7bff4a

          SHA256

          36700d09585b570480d59946a284b3dbdb64ae675a47725eba872c1318ca4fdb

          SHA512

          76cd56094fc020e349b25028dfcba738222938b8dd15bf24c0b5169cf0bc345a473351cdc9d3d5ff6a83f2df9f8fffad50620d5a036d93662d77c280ca37aa19

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HEO5n4iv575q8r3edvippA83IT9DOByfodbFKNUGpdaX8EujCeBfZNPXA5hHbaRA4XEfv.exe
          Filesize

          1.8MB

          MD5

          ca449abd4ae826b5927d0d2e3304dfa0

          SHA1

          07d4b5485a94ca21c52aea0c558e7275d0d59385

          SHA256

          6371d719097d2fc4c97e2479c5cd059c0076cd300c5aa6a5700328f2aeae14f9

          SHA512

          896c5164cef94dafc4d9e26fefe2b72b64fc1c69cfe41fc67a0765378ee29bd36c2bf19326a7781a7b9162082a430ee9c01c717f947e6fac815388a2048749ce

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\cqYL3GIKeE94AtzAr5e9qlc6Sm5Y8H6sf3NfRimcOAKtZdG7APLKSIc1AQUAfvcrxeeymHt.bat
          Filesize

          3.1MB

          MD5

          50b480904caaf3c1f3e2d61c22d3f068

          SHA1

          ef6ef905487bd86374d6c62c14e1213c22b04a7d

          SHA256

          d937513f933de4ad74c3191d6d287cd7dd5fa95aef8c323d744a8f6f543d858d

          SHA512

          598d239a1a089813bc0223360547297d7127fe70d7337794b79b0c1fc388db686a3002637ca8f9f821fdb8eba84fb26cbd7c7916a9a0defa68c7fe1d274d489e

          Download Submit
        • C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\p6Kr5wLafChYy3jkalBho0LUme59u3oW7sgUPoIwyp5tjMO.exe
          Filesize

          2.4MB

          MD5

          e334bdc2647102c7baa14126d5f9079e

          SHA1

          b7223536e0fd61c5c6bb353c9fc03c9eac3a4d69

          SHA256

          e32ed0884743514210cd35983d6e022c668d4a1da36d3830fe53d933a39629fc

          SHA512

          ab0143b57bcc45f28e722aadc83f5881b892caecf15b99308a6ba700abd698243da29ff3797dcf693dd131d3bd23110dd88bd153b65d5ca9c09b4fc1a0c98a1f

          Download Submit
        • \Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
          Filesize

          1.9MB

          MD5

          b921c800e2fa6fa51a35a8876bb55512

          SHA1

          315ac53e6abb5ca63684a0ea5e92c446bb457ab4

          SHA256

          940cc5d54e3c1abc5bb25712086656d7d2445a46eee1d05397a1e430fe18a2b3

          SHA512

          3637c548129b7004e96b63427c6cc3900097df4ebec9d51ccfd75ae40924509080196a1bdeb2fdd28c097ca46504c2b677e7cf352d806d8abc5893392f93552f

          Download Submit
        • \Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
          Filesize

          1.9MB

          MD5

          b921c800e2fa6fa51a35a8876bb55512

          SHA1

          315ac53e6abb5ca63684a0ea5e92c446bb457ab4

          SHA256

          940cc5d54e3c1abc5bb25712086656d7d2445a46eee1d05397a1e430fe18a2b3

          SHA512

          3637c548129b7004e96b63427c6cc3900097df4ebec9d51ccfd75ae40924509080196a1bdeb2fdd28c097ca46504c2b677e7cf352d806d8abc5893392f93552f

          Download Submit
        • \Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\w7Yn4FvbZxTEOaKvpRFho22thL45caQooUMviu.bat
          Filesize

          1.9MB

          MD5

          b921c800e2fa6fa51a35a8876bb55512

          SHA1

          315ac53e6abb5ca63684a0ea5e92c446bb457ab4

          SHA256

          940cc5d54e3c1abc5bb25712086656d7d2445a46eee1d05397a1e430fe18a2b3

          SHA512

          3637c548129b7004e96b63427c6cc3900097df4ebec9d51ccfd75ae40924509080196a1bdeb2fdd28c097ca46504c2b677e7cf352d806d8abc5893392f93552f

          Download Submit
        • memory/924-83-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/924-78-0x0000000000000000-mapping.dmp
          Download
        • memory/1744-55-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1744-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1860-56-0x000007FEFB651000-0x000007FEFB653000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1868-76-0x0000000000EC0000-0x0000000000EED000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1868-65-0x0000000000EC0000-0x0000000000EED000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1868-63-0x0000000000EC0000-0x0000000000EED000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1924-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1924-80-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1924-73-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download