Overview

overview

10

Static

static

e03721ab71...6a.exe

windows7-x64

e03721ab71...6a.exe

windows10-2004-x64

Analysis

  • max time kernel
    83s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:24

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a.exe

  • Size

    1.1MB

  • MD5

    fcf2f679e2b3bfeafaf385af4a25eb61

  • SHA1

    a5407da3447f9fa11c4541892efd7e0582349fe7

  • SHA256

    e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a

  • SHA512

    56821b24a31ed75c6bd2683c8046c0c1ef66093205f9f1f2282246c1ef131df86889405f7692ea42c1e5c8ef21502aa159e045f6ad6a5fceb0f4fb7ff73a5016

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 59 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:592
      • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
        "C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:972
    • C:\Users\Admin\AppData\Local\Temp\e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a.exe
      "C:\Users\Admin\AppData\Local\Temp\e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:844
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4f0
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1268
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1536
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
            "C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1104

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
          Filesize

          2.0MB

          MD5

          4059696e57f7ae13674888f6773c037a

          SHA1

          acfbbdccba4e9981c7c971895140c866215b8635

          SHA256

          4c61cef0e47c48cea6bc730714fa723b0a491f867df1cf8706cd05fc19a1710d

          SHA512

          808af23400c72b38753ecf1182b871839917eb1424f6c5058f8f5c5d9619184b8192fb95669f31b411c3f2132d23cfe3bd394ba72e8a5327ab5a36fe9302e200

          Download Submit
        • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
          Filesize

          2.0MB

          MD5

          4059696e57f7ae13674888f6773c037a

          SHA1

          acfbbdccba4e9981c7c971895140c866215b8635

          SHA256

          4c61cef0e47c48cea6bc730714fa723b0a491f867df1cf8706cd05fc19a1710d

          SHA512

          808af23400c72b38753ecf1182b871839917eb1424f6c5058f8f5c5d9619184b8192fb95669f31b411c3f2132d23cfe3bd394ba72e8a5327ab5a36fe9302e200

          Download Submit
        • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
          Filesize

          2.0MB

          MD5

          4059696e57f7ae13674888f6773c037a

          SHA1

          acfbbdccba4e9981c7c971895140c866215b8635

          SHA256

          4c61cef0e47c48cea6bc730714fa723b0a491f867df1cf8706cd05fc19a1710d

          SHA512

          808af23400c72b38753ecf1182b871839917eb1424f6c5058f8f5c5d9619184b8192fb95669f31b411c3f2132d23cfe3bd394ba72e8a5327ab5a36fe9302e200

          Download Submit
        • C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\K6PyDUj0AP6cwqXJT5PphHxZTuIIeAItHZNTSI1ndiS.exe
          Filesize

          1.9MB

          MD5

          2525b57c157438783ae19445ad25e250

          SHA1

          1d67dbf9d2a654e292dc2d85d7a733db99898118

          SHA256

          3fea4d04b94d0b4f445030e597226e3da23f35a190d6c7424bf401b67834da8b

          SHA512

          54d63b31ec82c9c13c57b1a4d038fbdd8f164158ca7db7af94fa1c9a108f7ea856699de554a5aa51f32d1a27ed7fa98e61611271b664b3e2e97c48ab29500bd2

          Download Submit
        • C:\ProgramData\Microsoft\Windows\Ringtones\Fg1gVvQLAfua3OuI0ictGKmKYG3Gl3MiHkcWRhHt34ZcvbZDYcP9qFeUgNYYoJVVwQUr.exe
          Filesize

          1.3MB

          MD5

          315f73397da68695475f8bbe1a32a5a6

          SHA1

          b35638dd2ec6c22424168f192a57198b9d4bafee

          SHA256

          1988e3d1865e8028c31a8b417b90843771668e6a17a099c15d250a666b749ccf

          SHA512

          23026f74f57cf47cfb8c596d849c19d2d003369f33f54168b36d9ea628a8f1f5c4640a81c5dad1fcd1b44cd8055ae032081076d2ac651b736e9d6b4d7a730c52

          Download Submit
        • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\pZPhGM948NEth9VaVDO27StmwHD6EQixssTb1.exe
          Filesize

          1.2MB

          MD5

          b3e9535e0b9cd5282d774bced90194fe

          SHA1

          2d74c62afca8f943b184a2c593202011cdaef1d2

          SHA256

          b33e032c64d53bb2219d4f791516e0db00cadcbf4279295539c179abcb9af1df

          SHA512

          d8ac8a36899c30895e11054b052311b767df9d8665f697ec3d4d5fd274c8584dba0da672145a4eaca9f3ef10c8f537fdbca5cdafd4859ca9e511753b26f6c9da

          Download Submit
        • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\fB31Olj8nwWpZxETGQ5NRKnvssyB.exe
          Filesize

          2.0MB

          MD5

          35067a4219ff428b964eae062b119605

          SHA1

          495a7d85d7486415a2a5b780f53aa5d8bb10d276

          SHA256

          2f95ee219d7a3c0e5b68612b49b89573331872fb91a444a6624f33a8d477caa6

          SHA512

          0d183c4051f69409153251d89c8cfd948c9f9b1f07c7e8c3342573ba0d5e953a678ab33978b5145f2ffb6c4134e2de283d712b80ea98cd4ec2c9a9a29c378483

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\kICdjIHwYD1f9sq.exe
          Filesize

          1.7MB

          MD5

          0b4c136ce00207b1aa24d9ab3f360d16

          SHA1

          3e93d28a5cf992a83896df1922ea2fdc21b21e01

          SHA256

          eafa44d3b291b0f78468832373e824d46815e4aeacab8ede05e2c98eecac9b20

          SHA512

          047e73ff43a6ff2a6e132ceea05f0ea7195ecd1c0f6903f35378078ba478f1e9d46b089f3c97de231f9e202743af17809f7758d92be174c2105525a6142a87de

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\NV9rsKayaaNrah5G4MVRBL3aBeswaQb8VJbvxxK50Z2zbkWfliUWMh.exe
          Filesize

          3.9MB

          MD5

          ee9d1f2b2b7458d118f7232fd42d7ed0

          SHA1

          6d34cfff6b5acdde83686169f695288874590ccc

          SHA256

          3e67a45dae80fdf4ee08a018fee94f492b3e1c537a6bfc66a74fc64613218fff

          SHA512

          9f4d355f8aef9c13c9cbacc096736e7f881783f1d2032bee01e44cdddfc7ce3dba04d7af8e9d6e1913d1b5fc61297151d3b695c2b04797df69b7ad00c0798288

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\xcOGmDKPn3O3ZAnIIJmcfXVTTeXpjhofs2fSAxMcslJ90NSchUi8Wpp.exe
          Filesize

          2.1MB

          MD5

          cda0f2b393ba8f26135bf681f39c1f05

          SHA1

          bd3ef42db8f7a5966c6991c06725de4bcb5a8d86

          SHA256

          02a320ff6586b8d0c7ad4c9170e3e00f90868baff457a302ac59f14ef7249258

          SHA512

          062caeb04a3f4f4f2a123e4f586e25f170e8722de7974a46fa681df2e80e096b0c480b070bde157de487a8cd6f1cb97442d64e81ce694491b4450b0b64eabef8

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\DrSNsBmTO2VD8aw0mTXAifFMAdOPPpjTlXyJ1slL0vX8JFLU976u.exe
          Filesize

          4.0MB

          MD5

          ba5317181b9152e0037bc971f8005874

          SHA1

          c9f546752113f9ef74d9889b6985e286327b9365

          SHA256

          e23bd768408fa247d460e75d50e372f04a174d3b68ed6d462092e7f550448cf8

          SHA512

          2937cd1371a1e61b113a04db4e2ccd813763f8ce93bb846f7b099db62f314f2e8078da91ff501680d471f72527084c7c6647b6f8a29d29e89a42bfd8f9ab1f9e

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iwv3qbnj.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\i27SqZYZXuDlNrHxgIFzGSIRuyfipV9qDjs3HqZKbkL.exe
          Filesize

          2.0MB

          MD5

          77d50d58a77866a7cb11931c1f48d786

          SHA1

          4edf5a7e6aec5e39045476c01b0027b5d204bc65

          SHA256

          4de813c734f1e2a3efee29ca4824bf59774379a7df7155d76e13977fee65776d

          SHA512

          8835d9c349d842e90287bf945ad493773f0c3a996528bc4153f7880ab681b020a6cd86b124da22091e47adc120d61da76211beeb949e7b8850559a9e715f4678

          Download Submit
        • C:\Users\Admin\Documents\LlpLRPfIhmoV9qTPD5tqAgIX2ruxWr.exe
          Filesize

          1.8MB

          MD5

          a097003cd68c5f5814cc0703efc590ff

          SHA1

          8c55bd3545a02542dc0188b48120ffca7ef5578d

          SHA256

          7b2b9ec6038586b72bc22f0e595fa7beb04b0f034b0922de94e5d17fab129869

          SHA512

          42569fbc7b3b4d63ceaf466341d429b63a0c029f3cbb84e610896afbce0cadd0bbb7e9b56a1070aaab106c9d228b8bcb3ac1321ea96315f0366786377439c1e1

          Download Submit
        • \ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
          Filesize

          2.0MB

          MD5

          4059696e57f7ae13674888f6773c037a

          SHA1

          acfbbdccba4e9981c7c971895140c866215b8635

          SHA256

          4c61cef0e47c48cea6bc730714fa723b0a491f867df1cf8706cd05fc19a1710d

          SHA512

          808af23400c72b38753ecf1182b871839917eb1424f6c5058f8f5c5d9619184b8192fb95669f31b411c3f2132d23cfe3bd394ba72e8a5327ab5a36fe9302e200

          Download Submit
        • \ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
          Filesize

          2.0MB

          MD5

          4059696e57f7ae13674888f6773c037a

          SHA1

          acfbbdccba4e9981c7c971895140c866215b8635

          SHA256

          4c61cef0e47c48cea6bc730714fa723b0a491f867df1cf8706cd05fc19a1710d

          SHA512

          808af23400c72b38753ecf1182b871839917eb1424f6c5058f8f5c5d9619184b8192fb95669f31b411c3f2132d23cfe3bd394ba72e8a5327ab5a36fe9302e200

          Download Submit
        • \ProgramData\Microsoft\Assistance\Client\1.0\it-IT\QKuEfTavmL8LwICuVDBIL8L9S0Ke68E4aTBs3oMm01dtV2ste.exe
          Filesize

          2.0MB

          MD5

          4059696e57f7ae13674888f6773c037a

          SHA1

          acfbbdccba4e9981c7c971895140c866215b8635

          SHA256

          4c61cef0e47c48cea6bc730714fa723b0a491f867df1cf8706cd05fc19a1710d

          SHA512

          808af23400c72b38753ecf1182b871839917eb1424f6c5058f8f5c5d9619184b8192fb95669f31b411c3f2132d23cfe3bd394ba72e8a5327ab5a36fe9302e200

          Download Submit
        • memory/844-54-0x000007FEFC421000-0x000007FEFC423000-memory.dmp
          Filesize

          8KB

          Download
        • memory/972-76-0x0000000000000000-mapping.dmp
          Download
        • memory/972-81-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1104-74-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1104-78-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1104-61-0x0000000000000000-mapping.dmp
          Download
        • memory/1636-55-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1916-64-0x0000000000F30000-0x0000000000F5D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1916-62-0x0000000000F30000-0x0000000000F5D000-memory.dmp
          Filesize

          180KB

          Download