Overview

overview

10

Static

static

95fc29a4fb...20.exe

windows7-x64

95fc29a4fb...20.exe

windows10-2004-x64

Analysis

  • max time kernel
    106s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120.exe

  • Size

    386KB

  • MD5

    90a111afb406a5ead8277be2a2a4ca60

  • SHA1

    a6c96ecb5ee175aa33656807939748d6c5202c1b

  • SHA256

    95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120

  • SHA512

    cb8cfe10957906fd5600fd5a805cb50a59ae1dbaec7d17d41a2ad622d3a23956e5d01c76e4391fc633c9f50dd055460c9f018ea9bc565073a5f97bb8c7987326

  • SSDEEP

    3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 62 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:580
      • C:\ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
        "C:\ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1464
    • C:\Users\Admin\AppData\Local\Temp\95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120.exe
      "C:\Users\Admin\AppData\Local\Temp\95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1724
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x510
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1232
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:272
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1536
          • C:\ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
            "C:\ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1284

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\szqljw7hLNzFnAkpjUqUSUc1L0rYMHFdF68O7gskgeM7HBtRqh2o0M0THPas.cmd
          Filesize

          831KB

          MD5

          96bc68735cdbdd001b4e311999ad75b4

          SHA1

          294d9e00bfd259f1dd4af311b9672213492b647b

          SHA256

          a91086bc593c1a846a9bb1bbbb33abc61452b90983a3bf145ac7d5326dacd196

          SHA512

          9531a942f956705eb4fef2fd9db248a094d1e113eafb03320b285d307ab5d0c826f4b56a853bb3ac60c4334b68997f67a89411a0c8bcdc435cbe98b3fecbac9b

          Download Submit
        • C:\ProgramData\Microsoft\DRM\Server\ZbXiWckfj8XVH0KETXBzUfB6CoUgZ3GjMgQVH7xnCcIDwPGX4mgt2h7V2QlQEUlry.exe
          Filesize

          530KB

          MD5

          1cf16c0a293075a1adcfa1db66e895c8

          SHA1

          cfe2bf49d16faf60381918f857fd166edeb6c0d6

          SHA256

          82669721fc5f3e2d63b455de8fab89503398b984761cad638f25f4be9cd5b43b

          SHA512

          93d5c81625681a15836cd742466cc8d3b12818b903522ed6edf3a4b147c8035232217932ecdfb759c7aa4b5b69dd7357530360504bde50b5eb37491094b5b2c1

          Download Submit
        • C:\ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
          Filesize

          476KB

          MD5

          12a88c88bbbfe9492ec0363274ee8cb6

          SHA1

          12914a2026c6f0f86874c8f781bdde805e5c482c

          SHA256

          7e3b2a416e583d6ef3bd90792660be43cc82de63475122191d2aa6b2af71140f

          SHA512

          43240c2d3ca3da4ce59d761cdec9b1f9f18ee195b09328c7cababe2d80439af97f00da4b35caa0cf0f5cd4b49058a365320b2de384caaf7cbf5f9f9cfdc64b6c

          Download Submit
        • C:\ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
          Filesize

          476KB

          MD5

          12a88c88bbbfe9492ec0363274ee8cb6

          SHA1

          12914a2026c6f0f86874c8f781bdde805e5c482c

          SHA256

          7e3b2a416e583d6ef3bd90792660be43cc82de63475122191d2aa6b2af71140f

          SHA512

          43240c2d3ca3da4ce59d761cdec9b1f9f18ee195b09328c7cababe2d80439af97f00da4b35caa0cf0f5cd4b49058a365320b2de384caaf7cbf5f9f9cfdc64b6c

          Download Submit
        • C:\ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
          Filesize

          476KB

          MD5

          12a88c88bbbfe9492ec0363274ee8cb6

          SHA1

          12914a2026c6f0f86874c8f781bdde805e5c482c

          SHA256

          7e3b2a416e583d6ef3bd90792660be43cc82de63475122191d2aa6b2af71140f

          SHA512

          43240c2d3ca3da4ce59d761cdec9b1f9f18ee195b09328c7cababe2d80439af97f00da4b35caa0cf0f5cd4b49058a365320b2de384caaf7cbf5f9f9cfdc64b6c

          Download Submit
        • C:\ProgramData\Microsoft\RAC\Outbound\dMC13c4MmKZQEh.exe
          Filesize

          525KB

          MD5

          8597b5fee5da01bed1c65e5c71bccd11

          SHA1

          8634eaea6e03531e1a376ae85089b86331b95295

          SHA256

          38e8e1753f2b272da29019d6efa97d4059ac75718ac4b9c62bf7d0f12ba35e15

          SHA512

          139d035bf0ffa7e8556fa8753eac84429e5faaae01ec50d4d18161bc5b3b0eb3a235ff9010f3dc153ae026064f1e5c547bf687ed26f423e1861541ab1726167a

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\YKofVyG8RaHMUPJeUw7AbrndWQVrbsyaLDyMcV.exe
          Filesize

          604KB

          MD5

          0edf118d2b48fab16224aa512487f8ac

          SHA1

          9a37c834f113290def12430dbe6fbcd8ba1b9300

          SHA256

          008d40253c8ee27cac4dd54be0687d864637b0c401b1478f30dbdccd63240a8e

          SHA512

          59354b7c87b48c7ceb05c5bb8fc5e2e5454e4a06eb446bd822b4fcad152f7e55bdcfcdc043d45362a17869abe8cca06e433c1c05b6fb89fc1e2cb33e4faac138

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\go2HJTLEORBBm4hLMDoJQJmsrIhyQPXUKil85qJ.exe
          Filesize

          514KB

          MD5

          23c3c55995cc42c20fcde1e6034cd032

          SHA1

          c6caf2c73cbc046832911de15138c8633cffc896

          SHA256

          7b4ad722617ddda3f4fab06061f46540a878e15c8537486ebcc25bea0ea451e4

          SHA512

          bce225827fe4fa981a11436c0f7829346e6dc57ff39d044949fc1eb9c30fcf5b5a9e4be080086612b7ed10d71586b4ea278ee605bc54fd7b565a7ecce2f972e7

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RUC7JGOV\OSaTXOUHvFiRLQ.exe
          Filesize

          615KB

          MD5

          26b732c866477a051bd1005ec3826906

          SHA1

          a91ee3516fcc57e1dce4e75936b54c66db87d4a1

          SHA256

          fe36275b182620f997913e6dc17491d84935b583014ea55353919c089a8bb96f

          SHA512

          f1223e5564984d816b31695eb4bcbe87d85a50454de62f605821886f3db852622ca4cec77000a098b54284c32b73aafb345d75e0193d2db22f81dac484ed0848

          Download Submit
        • C:\Users\Admin\AppData\Local\Mozilla\9fXWIFJRz08hcn7EybwnJPZND2KPtOSeTQsJtBk2T5JyHY2tmDdWhmL1HKzbGc4.exe
          Filesize

          638KB

          MD5

          4c36391d390f2df3423ccf004f8d737e

          SHA1

          97f876cd8ad621360551c8c9cff421a9c78da9ac

          SHA256

          2a822f42417e4221e82053deba56dfd81db4974f03bd6e42e7bd694486b8593e

          SHA512

          9c0ff367677bbecb7e7a02fa20c71f7c3691c9793f2aa0776a25f903bd64c908fdeedf198d8e5b2f3bcea2256ef59478be1321f9d216a2ae6dd5dcbfe53b4391

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Adobe\DERX2Pcy045lbIm1EPIgBVP2IJWCWO7Jf7KSx7DtZaUrxW.exe
          Filesize

          742KB

          MD5

          6b246f3440e48f4fd104b131cc3e23bc

          SHA1

          cdc403d91a3edcabd5cf5e41e8ef6a4d063a96e6

          SHA256

          c35b9fe4b408a6947db71fae49483ef0975993b95baa344057d68160da93b56e

          SHA512

          dce915f8dbaedd2c5d1367f2cf64bda0dbbed3df2f601b5575b8d42133d30e5c9216fa16e2f212fecf35538775d6e4fdad27170c1771a3386c5b577a8f20b148

          Download Submit
        • C:\Users\Admin\Contacts\WBTfInfiLIwyNy4ZnnyT90gBYIkgHDKyHaHBAZG3RnsZEcVXBJIP7fS6rPeBw.exe
          Filesize

          449KB

          MD5

          cd720d007197a857a5891f86ed37225c

          SHA1

          67f79ddb77bee0a7fa8896d58780cb938eee9726

          SHA256

          475c33b08d647ba68f71a24e66aefbda0daa9c73483cbabf1a7c4ecb366fce0b

          SHA512

          dfcde57c163c4485b0649c2b96e0148fecd65ba31978b9fbf602d13b409ecaf119d964feb2cdec94a0cc850fff49740f9536fd76eae8c2aa12213a4569d08f17

          Download Submit
        • C:\Users\Public\Downloads\eFYgFFYy5C90AzzJ8yJ485PAKKhauK4nKQrop0XXYZf1sAfpEpjmIzXsyY.exe
          Filesize

          390KB

          MD5

          d03d772790366f7231845eaa0da6c961

          SHA1

          007380afa6619750532c1080b44c733e1d656b9c

          SHA256

          9e0abd61b8dc05ce237b6da6b50b3243da1bedac9347f4feac6f8b5768e4e9d0

          SHA512

          88756b23e40fe774ce23ab0fade21ec9c4881ef6347c19720fb8055f140102cf7de025d1a27ef7529062718dbf802dfb1435450cb1a9b8221d2eeb4165793440

          Download Submit
        • \ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
          Filesize

          476KB

          MD5

          12a88c88bbbfe9492ec0363274ee8cb6

          SHA1

          12914a2026c6f0f86874c8f781bdde805e5c482c

          SHA256

          7e3b2a416e583d6ef3bd90792660be43cc82de63475122191d2aa6b2af71140f

          SHA512

          43240c2d3ca3da4ce59d761cdec9b1f9f18ee195b09328c7cababe2d80439af97f00da4b35caa0cf0f5cd4b49058a365320b2de384caaf7cbf5f9f9cfdc64b6c

          Download Submit
        • \ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
          Filesize

          476KB

          MD5

          12a88c88bbbfe9492ec0363274ee8cb6

          SHA1

          12914a2026c6f0f86874c8f781bdde805e5c482c

          SHA256

          7e3b2a416e583d6ef3bd90792660be43cc82de63475122191d2aa6b2af71140f

          SHA512

          43240c2d3ca3da4ce59d761cdec9b1f9f18ee195b09328c7cababe2d80439af97f00da4b35caa0cf0f5cd4b49058a365320b2de384caaf7cbf5f9f9cfdc64b6c

          Download Submit
        • \ProgramData\Microsoft\OFFICE\UICaptions\ksYkfP9FNsa10w913FAfElPDPpbpAIITUl9oE89zVEDxtJPaPtu6Wt3ESF.bat
          Filesize

          476KB

          MD5

          12a88c88bbbfe9492ec0363274ee8cb6

          SHA1

          12914a2026c6f0f86874c8f781bdde805e5c482c

          SHA256

          7e3b2a416e583d6ef3bd90792660be43cc82de63475122191d2aa6b2af71140f

          SHA512

          43240c2d3ca3da4ce59d761cdec9b1f9f18ee195b09328c7cababe2d80439af97f00da4b35caa0cf0f5cd4b49058a365320b2de384caaf7cbf5f9f9cfdc64b6c

          Download Submit
        • memory/1284-75-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1284-78-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1284-81-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1284-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1464-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1464-85-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1536-74-0x0000000001030000-0x000000000105D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1536-73-0x0000000001030000-0x000000000105D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1536-76-0x0000000001030000-0x000000000105D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1536-77-0x0000000001030000-0x000000000105D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1724-56-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1960-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1960-55-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download