Overview

overview

10

Static

static

ab06f96ea3...bf.exe

windows7-x64

ab06f96ea3...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab06f96ea33cd450a40c5babb204064ea5b21397713fb705ecedb728ffd7b0bf.exe

  • Size

    522KB

  • MD5

    4abdf9379ca35522f5d426840aee12cb

  • SHA1

    8a82210b16774ea2e974b003faa23473cdb26a2b

  • SHA256

    ab06f96ea33cd450a40c5babb204064ea5b21397713fb705ecedb728ffd7b0bf

  • SHA512

    46e45982dc4aa5bd9107a076d24f49d0451214a49eaf6b92f42bbc4b24ad6ab68a07a0b45e19fa765dba7631b14892f028cc20d0992637ff54c58046c9815eb6

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\x6oifpdfAEQSDmHjJsHrM5fngR9QWcGLiFu7Qkr.bat
        "C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\x6oifpdfAEQSDmHjJsHrM5fngR9QWcGLiFu7Qkr.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2380
    • C:\Users\Admin\AppData\Local\Temp\ab06f96ea33cd450a40c5babb204064ea5b21397713fb705ecedb728ffd7b0bf.exe
      "C:\Users\Admin\AppData\Local\Temp\ab06f96ea33cd450a40c5babb204064ea5b21397713fb705ecedb728ffd7b0bf.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4848
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39ea855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4568
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:600
      • C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\x6oifpdfAEQSDmHjJsHrM5fngR9QWcGLiFu7Qkr.bat
        "C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\x6oifpdfAEQSDmHjJsHrM5fngR9QWcGLiFu7Qkr.bat" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3724

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Diagnosis\Temp\dd3FHKlEGYwEDb2OqPSSk.exe
      Filesize

      763KB

      MD5

      ecbd6470ce6762146a7314c50c580692

      SHA1

      7238b0ee50386fd4d2f51740d056525d3adb61ee

      SHA256

      a1c86bfbf6dee415edfa3225cb8496530c7cc0d290def15926bf767aa2553fee

      SHA512

      d9e826acaa72f36237e478e40e0ea78fa4f3362808d52a5af6ff4cfad89ac9b46f65d3f4b512882ad85a5e92e160122cf7dbdf14b6fb7bf390693ba21883129a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\P5Y5fszz7ZWIuKQXFWQHfKCqBSOOl8FyNMUzYKxsETZOUqS8e.exe
      Filesize

      862KB

      MD5

      995e506aec0eb18d7cdd7c1491fc27f1

      SHA1

      fd5b057c72e4b38518bab6edacfbf3d58a8bf4ec

      SHA256

      578e5438689df7beba6abebe087bc7df5f5dd43f71b8140bb89b0623e0b8f213

      SHA512

      05c27b6109d502c0a4f6ff7ea279d624e615aa79a5dc25e04dc790503d1b223fe715e6765043c36685f33d39c15d6e9f9248f8301e2ba8cc534c994520065081

      Download Submit
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\NiF7V5O76zocCXpcDrRgoRY7JOBwBnDRUp5N8JFe.exe
      Filesize

      603KB

      MD5

      3c256189b7e147944d5ea8958cc775b3

      SHA1

      bc226424b15f7d2721383af71b7e56d2f6f69e50

      SHA256

      8d0ab2c80242a7d123bb00c03ce9f3c43c2df1693946b8dbaa62604ca7fbea52

      SHA512

      31a05a7b7410e88732739cb31a353028ff2956761be2130aea0266da168129395b43fdd9b52d7c4311dc6a8a7ead7b239334c42efb6c6fa5da8d797d93e3c996

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\zxJWmYcPOAnnfnEnFhLYPb2xKR8mX7J3TaDgKHyDjaXnfU00pWxHWEdQvqI1MG9IK.exe
      Filesize

      733KB

      MD5

      08d3044b226b40e5fc1a372e2f496120

      SHA1

      0e5e95515e937fb226276d9d69ea92f6cf05ff03

      SHA256

      aa1399b955d4041e34571758d7f4494e358a969a57c04e505cfe6562a4a07ad5

      SHA512

      92dec0003245c1c4d34a89285d57f278e5998fed574309b1e5ad896bb95e7b388f339b2afd9a5e370853673b99f7102e2fcf76aa0df4b5a7bb138613d4ed41e0

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\es-DO\EEQeWhVtAlI8qYx5LRi7cTLhPaqlnqVJZic8t.cmd
      Filesize

      1.2MB

      MD5

      7f041c47bf607482094e9c674ef0f8e3

      SHA1

      bb4738f5df86a1d4e8f217722b738fb04b785f60

      SHA256

      029ea671b91d663b40874571ccacecaae444e7d939fb1438a8d3fc31048596d2

      SHA512

      fe9603e1702841e86adfee08a0bd8d2ba5d88ffdc0477373a4e940f00e34fb18ea7a67e8af5f2933ca4d4f663c946d45142b5cb81eddae95375e9b5f5fd7f8d5

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\x6oifpdfAEQSDmHjJsHrM5fngR9QWcGLiFu7Qkr.bat
      Filesize

      643KB

      MD5

      f4a2ad02f020962a79d54d5c6cc0b3f9

      SHA1

      d25c019774862381f4ebdc1d03e7b58ab83b2e28

      SHA256

      f0f22e60b457520bcf641d60e5890ed55ad71a1f5d15532dfe850ae5487e2610

      SHA512

      7ee3e67937db97e2ca00d4dded0bfbf817cb9ba7a8fb11f6292034a8ffe90ce94ad66413ec66cad0bba92aec2b9e1f4757f385d9ddd9f1b721c412e53829eae4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\x6oifpdfAEQSDmHjJsHrM5fngR9QWcGLiFu7Qkr.bat
      Filesize

      643KB

      MD5

      f4a2ad02f020962a79d54d5c6cc0b3f9

      SHA1

      d25c019774862381f4ebdc1d03e7b58ab83b2e28

      SHA256

      f0f22e60b457520bcf641d60e5890ed55ad71a1f5d15532dfe850ae5487e2610

      SHA512

      7ee3e67937db97e2ca00d4dded0bfbf817cb9ba7a8fb11f6292034a8ffe90ce94ad66413ec66cad0bba92aec2b9e1f4757f385d9ddd9f1b721c412e53829eae4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\es-MX\x6oifpdfAEQSDmHjJsHrM5fngR9QWcGLiFu7Qkr.bat
      Filesize

      643KB

      MD5

      f4a2ad02f020962a79d54d5c6cc0b3f9

      SHA1

      d25c019774862381f4ebdc1d03e7b58ab83b2e28

      SHA256

      f0f22e60b457520bcf641d60e5890ed55ad71a1f5d15532dfe850ae5487e2610

      SHA512

      7ee3e67937db97e2ca00d4dded0bfbf817cb9ba7a8fb11f6292034a8ffe90ce94ad66413ec66cad0bba92aec2b9e1f4757f385d9ddd9f1b721c412e53829eae4

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\AC\Temp\V5RNyIRLIQDzX.exe
      Filesize

      813KB

      MD5

      7b17f009ff2096282b72a14c1d819095

      SHA1

      3e8d832df5533adc88b833f9f9d356108b0d06f4

      SHA256

      390ce337718b2a4d8c7f58de64943bf44a21b27b54d675285e1580cfefd072c7

      SHA512

      3e7f1cec7d761bdd9d636bfe396d18ce1fa16e8be0aca283a8b46ca068fc8183fa3c5c08f147d2be24003e2375c4449ecde4134f7c13e63e7e710a1085d1f6a3

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\VSv4rbbhqv6Umprogk5ZnQXxcGZ1Ixiu7QQLP4rUyKtbeqAJuRvxSquq5a.exe
      Filesize

      674KB

      MD5

      08e3dabf97f759b4e891b671fd6d4739

      SHA1

      c3c532ff563f2bea0161da207238fa9331ef288c

      SHA256

      ae5d3a525828f24272db54466cafc98078f6af11f8dc727b868864310a5d0508

      SHA512

      78b08bf75d208baff952aa37b2a4a73b27a9996d6246cfb56922cbde38db2618bec0ed143a85d0151acc9b922cc881607574c2c339ad2ff7440dee1bd7dc33d0

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\SdhN8KR8e1ujoXQQlMEVMnq66Ji3tNreNGk7oRpIjQK.exe
      Filesize

      804KB

      MD5

      2806b19973af267b0dd8cc26e3d2f07b

      SHA1

      a278eb2879e65225bae656071bcd8f6293a19007

      SHA256

      77c90f832062678019fd3a424cab68c8fba5191ca2184f0673725ea09d4c0d6d

      SHA512

      e66fbf358843cc2be97c76bffc3a088c3808ba3f3ec4329eab6275797ab03d83fa364f64110902d99a634e5f91d0c33724335e57aa4d7dcfe54a71552f6cf807

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\9MeRFIoXbwsuzNDF0UL8FfUoZW4CFpsqdFn1YCODOTc6DBkS4abunjTxRpESD5k9.exe
      Filesize

      809KB

      MD5

      4821339f7eafc1168f454401fdf3648c

      SHA1

      3d1f4a7656dc567784ef41e4c9791ea70b25ad87

      SHA256

      36b74b4436473fe8dbb5b82d6d2bec132060a34c824c4b44a3c023698c2326af

      SHA512

      d6fc16a925139dfc641aa8221d99a27a9c4446c49ec07367215ad4a06cc1d6b6694d5e7f2e1808987dfb261212b91cd7ab9c5f499a9b9524f2481e27d47d695c

      Download Submit
    • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\NaLIfcl4rft5VYlisVybfdr60kwravXcpVGq6An7ZJarTCS0Wv2QezhDYIJwcl5dY4nTaq.exe
      Filesize

      935KB

      MD5

      6758d97120ea967f9614acb19967a893

      SHA1

      91f39903226a98fcfd9362797d8794ddc9f995cd

      SHA256

      3840e80e71066af559c6ffa695ee4fbd691859246129af65759de03259888216

      SHA512

      d18f7451fd2c41c0dd987383e1acfbdad081e57d73bb4d63fe4a18d85c83f4cac22c66289b03d0950fd1828572f141482295782e2bc00613a64e13ccb5f36264

      Download Submit
    • memory/2380-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2380-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2380-153-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3724-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3724-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3724-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3724-145-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4848-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4848-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download