Overview

overview

10

Static

static

e03721ab71...6a.exe

windows7-x64

e03721ab71...6a.exe

windows10-2004-x64

Analysis

  • max time kernel
    61s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:24

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a.exe

  • Size

    1.1MB

  • MD5

    fcf2f679e2b3bfeafaf385af4a25eb61

  • SHA1

    a5407da3447f9fa11c4541892efd7e0582349fe7

  • SHA256

    e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a

  • SHA512

    56821b24a31ed75c6bd2683c8046c0c1ef66093205f9f1f2282246c1ef131df86889405f7692ea42c1e5c8ef21502aa159e045f6ad6a5fceb0f4fb7ff73a5016

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:656
      • C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\8eSXDmUVik92.exe
        "C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\8eSXDmUVik92.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
    • C:\Users\Admin\AppData\Local\Temp\e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a.exe
      "C:\Users\Admin\AppData\Local\Temp\e03721ab718cf1b59d47a92fe10cf3e385267ec1c632b6a293f511e61348746a.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39fe055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:756
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\8eSXDmUVik92.exe
        "C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\8eSXDmUVik92.exe" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:804

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Network\Connections\Ja5DJWtEJrjrdidEthMMTflDA3FqKE0dx8HUpSKtxTpl6QRhCMZeHAhwd.exe
      Filesize

      1.3MB

      MD5

      d6a8981df103b24fb61dc933e1f6134d

      SHA1

      7feaccbc8a08e69e8b7836892937c1397390d994

      SHA256

      bfca03d0be0ab9c9f3af754c56b2330cfb33f1a4026c4b9fa861ff2a27f75f6c

      SHA512

      d760326f597c352067c11ba082dfdd52b533b9d73d41cae2e09af8054bb0126220a34c4a3a53fca0fa5bf2a8596a34e76b12e05dcbafd8efdc6ce6168ff29519

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\4S5gbF55ZPGbKBTLyasvMrXVxRB7XPM6bNkZBSIG5fLH9n7.exe
      Filesize

      1.5MB

      MD5

      1400b41b0d909e660613f7e65c38f391

      SHA1

      9ccbd6c6075ebe9ba8b6aa83d4cb7bb1e201c82c

      SHA256

      df24968f14da9eb100015c27625851fec4e7fbb47a646fd3c47fc9f22b24b3d6

      SHA512

      e3e42ca55925317e860b9dc6cf94fe35333cf1bc96b36a3092e3863a1c89f39ab264ad70916d406b9e6a222b46b3db880068b93663362aef32d2265974101409

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\1VOBvnJisXBYCWLj7Crh9ZKWwNdWFg4oJPBvBUn6tA6kcoFb1sfV8x6dCuFFKnHnS.exe
      Filesize

      1.2MB

      MD5

      8b3ede3e142999403c4d2330d0e6874d

      SHA1

      eb8c52550f524380d83db612ade6f43a3de5eff4

      SHA256

      5c86fb1a67218aeb6572a0fb8a9f30dc70ffe26c7b6e4fd901fadbbc2d0bad31

      SHA512

      bdd2941c17a8e56b2f536a5d7dfe7ad029a60360eb7600074359a746d61767fd57bae23b2394402252ffee445725143f2542003c46e5e9a3c976297b1471f0a6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\lt\Y0a7NSyZvBuwW9DnMShCVyrJ031jNeEUjHPr.cmd
      Filesize

      3.1MB

      MD5

      cf6595a3394330fcf3d0ce8e2d2de83f

      SHA1

      a4db7b034cbe059a8340feaa68a6e2d6f0c0479c

      SHA256

      cec5c88109477e597a75e2711df324eff2a0100bf2cbdc9d04374d28339e236e

      SHA512

      6597df0a44ab525bea09ef4a060a381326110ca71a204bb7bfc1b37965a44c390bea074445767e25da2811f378e12b7669f0cf011c8bac1a2e23fc5cfff8baf5

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\PoOiPIWaTKmXHfHNVy6wnvVqcqJFfy6xgvhyoKi6f6QE4UkL.exe
      Filesize

      1.4MB

      MD5

      fe17dba9e6ea7765e7af6617ff29f026

      SHA1

      566a92ddedb907b0e1d006e1c248f9112465579a

      SHA256

      69fe510b7beb17d5ae1e91bacd311cd8cda1b9cb5cdaebe9ea43cf92e4ac5aa8

      SHA512

      6319d96aaf4311a4b4c9833c8afa3be1a6e02f3a10c53ae7ddd6744018e5a24fcffaf3dfbed5a329c77955b68b0d1da89db4d0723546aa7fb13db5e9daad256b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\bg-BG\mUlEdwpRM103TSglztjhbiH4qWlbdKIaIDf2d3WPU8GO5kQzMsLEb9t.cmd
      Filesize

      2.2MB

      MD5

      72d5e9a0e6246e22460ddd2d4e8eac24

      SHA1

      eff8299fc26ce54fcb62c098d14930f25f5543b7

      SHA256

      0a7ac46a0a07c1e894554c50f119cd81737a16ee0525128ab8086b88ca701017

      SHA512

      8098337682cc55769a8b72aa2f3a8e77d4a2636982b12250a258f47f13be47d92d9b1c6a7696f51316f6e15ee196129e131a9208e54644c831c7b17425a86092

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\8eSXDmUVik92.exe
      Filesize

      1.6MB

      MD5

      1fdb04a92080cc1406dc63e346f1dd1f

      SHA1

      3f2783803fe45bfd91112ee5aa78218bddb60d6f

      SHA256

      b65f04f23feab75c1ab309c8efc2b632dbabff048a0f483a0d8abd9a37a6b89e

      SHA512

      b1ddfc541eab3fe7e2892d7fb758196e47a43dd3ba0a339185626d7d15535fc50362720d8a0ed2ca009498ce92864626d9331cf7fec66caef6f6517ad72a97aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\8eSXDmUVik92.exe
      Filesize

      1.6MB

      MD5

      1fdb04a92080cc1406dc63e346f1dd1f

      SHA1

      3f2783803fe45bfd91112ee5aa78218bddb60d6f

      SHA256

      b65f04f23feab75c1ab309c8efc2b632dbabff048a0f483a0d8abd9a37a6b89e

      SHA512

      b1ddfc541eab3fe7e2892d7fb758196e47a43dd3ba0a339185626d7d15535fc50362720d8a0ed2ca009498ce92864626d9331cf7fec66caef6f6517ad72a97aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\en-TT\8eSXDmUVik92.exe
      Filesize

      1.6MB

      MD5

      1fdb04a92080cc1406dc63e346f1dd1f

      SHA1

      3f2783803fe45bfd91112ee5aa78218bddb60d6f

      SHA256

      b65f04f23feab75c1ab309c8efc2b632dbabff048a0f483a0d8abd9a37a6b89e

      SHA512

      b1ddfc541eab3fe7e2892d7fb758196e47a43dd3ba0a339185626d7d15535fc50362720d8a0ed2ca009498ce92864626d9331cf7fec66caef6f6517ad72a97aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\sr-Cyrl-ME\5RBPIcL4wqHuGC9PDOQHPBJZ6.exe
      Filesize

      1.8MB

      MD5

      9bec4e7f8885610c6fc41576f4233cbf

      SHA1

      85f1b26770193dcbf0ca1fd049599ed2fec2e4ff

      SHA256

      245fb314c1d3ede5d4604a1560dc7b20569bc8af78a3cfd421f9d104335496e6

      SHA512

      8889b5a1bd4bb713924eb20a310f78b99d852ca06220efc5203db58460a1136fbf9c1ac8c4e4d1e66a210138e0ccfd18ec10e44362ac07e65389a0915e3e4a9f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6wx89zth.default-release\minidumps\GdKVWmHXTWFJdvCAX9e8QnKLYRgvuHFw.exe
      Filesize

      2.2MB

      MD5

      f351692b7951f100373a6f77b57e5b2b

      SHA1

      350a081076ee3a4eaa288a44acea8fafb321b94c

      SHA256

      493c32bbaa61257cef194da24212c8ddd42ee4be9badb074a23cffa72abbc45d

      SHA512

      1bb8ed0ce36642b8ebc7a33d914ea5c5029c8d4258f36022129f01804193ea8d62eebef1f3c7baa66adad5880de5df5b33fad2b21654db1955fc5bcc7cb76b51

      Download Submit
    • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\mcro4I9L3JArOBGPGPABbUjFyWgFUlqPOhpE23J1MgNuzlP4LydfL.exe
      Filesize

      1.6MB

      MD5

      75b4b4ecccb7296d0e02dd5b8be39c54

      SHA1

      10ad519af0db9dab4d8023e2daafa26685eee42a

      SHA256

      bf728339510d07a26818bf81a5bfdf1e5da9b6cbb94acb0914b751fc0879e715

      SHA512

      3ec1c9d0383fe07276b970d66b01ed1c1880a3a7cd87676f1277fc986a846798fc0b9cd5fff2eb19bee7e741f0131333cb732c6cfa6b72208cb54b94dc313b4b

      Download Submit
    • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\keQgJZCwfK3ukbzttkcvxHj0TR7VB0Zuz.exe
      Filesize

      1.2MB

      MD5

      e6c80bcee4d6c1b362082434f5aa7675

      SHA1

      825580e9ca8088e93eafe45cefe4a690ca2d0995

      SHA256

      14f7cd5f5cacf660d1d18b9e969b910bc91099effc02b5ce31d0e26c24a2989d

      SHA512

      be3589e2736b6001eac6dbfc0c307d0d1f1d862d561207913010d6cf818265ca25e0ca07f2b4c71cd4118d71c247051c9c5d1096d00ab8bcddb9d762a585c9b8

      Download Submit
    • memory/804-136-0x0000000000000000-mapping.dmp
      Download
    • memory/804-138-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/804-147-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/804-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2456-148-0x0000000000000000-mapping.dmp
      Download
    • memory/2456-151-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2456-154-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4440-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4440-134-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4440-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download