Overview

overview

10

Static

static

95fc29a4fb...20.exe

windows7-x64

95fc29a4fb...20.exe

windows10-2004-x64

Analysis

  • max time kernel
    123s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120.exe

  • Size

    386KB

  • MD5

    90a111afb406a5ead8277be2a2a4ca60

  • SHA1

    a6c96ecb5ee175aa33656807939748d6c5202c1b

  • SHA256

    95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120

  • SHA512

    cb8cfe10957906fd5600fd5a805cb50a59ae1dbaec7d17d41a2ad622d3a23956e5d01c76e4391fc633c9f50dd055460c9f018ea9bc565073a5f97bb8c7987326

  • SSDEEP

    3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\Users\Admin\.oracle_jre_usage\QUMM9kFpuacwsKnuoYjvQdWYQsEcJwNBLu.cmd
        "C:\Users\Admin\.oracle_jre_usage\QUMM9kFpuacwsKnuoYjvQdWYQsEcJwNBLu.cmd" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
    • C:\Users\Admin\AppData\Local\Temp\95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120.exe
      "C:\Users\Admin\AppData\Local\Temp\95fc29a4fb401d3afb329b7f805449a482433dbe96a920f1cd85e254df151120.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4020
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39f2855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2684
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3564
      • C:\Users\Admin\.oracle_jre_usage\QUMM9kFpuacwsKnuoYjvQdWYQsEcJwNBLu.cmd
        "C:\Users\Admin\.oracle_jre_usage\QUMM9kFpuacwsKnuoYjvQdWYQsEcJwNBLu.cmd" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4060

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Diagnosis\SoftLanding\Xgvi9kJwL7XlFslRjziUfU99BBYuyYHSpgItT6R.cmd
      Filesize

      1.3MB

      MD5

      cff2e5d3b437f9f689311032929bd90f

      SHA1

      fc12d7ed236a8e60f89f27c18574f56a2f7b41aa

      SHA256

      7089cf6dd3268720b54401e741764a74f7da7636fc033d3cd5e59b9c43ff892e

      SHA512

      57257d401ddf3440756b99bdeb22bbbb832454e43c7d465c1ddc8aa68c2bc1cd1bc440bdf9103adde7f5d4939a9457aa30b686552d5788fb2933bc154ed3a2f3

      Download Submit
    • C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\l0dmHseIlJXHy7zoNzth9q.cmd
      Filesize

      671KB

      MD5

      8a6fb09fd74c5040e4d4f47077502609

      SHA1

      e23be976a97777df6518a75ca1981f8be8f29435

      SHA256

      9a283b05d4d3f680823329efcf14eb6a5337078f5595352213935ed62d0c3932

      SHA512

      902323ac25dd7e3164f3054fb2035df0752724fb72e82e1fcfd8453861805f73783bd36a955fa78e435e19b4b812738718830497c95649cfc9c33ddf8ac14444

      Download Submit
    • C:\Users\Admin\.oracle_jre_usage\QUMM9kFpuacwsKnuoYjvQdWYQsEcJwNBLu.cmd
      Filesize

      650KB

      MD5

      e52a67c1d789b9099760fdccc44b2cdd

      SHA1

      f0dc8a76916d15f216e9818ed244ea194ce56341

      SHA256

      9a9d5c8d376d612b592e3578bfd37866366c2fac1b06ceb1a9b5f58a3df771b7

      SHA512

      783039014007303429197530e07a7df7939b4863bdb1bc5b0d71ec7e3c5f8c5a1088d16217f3a0bd6f28c127460477d4b1204c96bf9adac8c3197a77dd521607

      Download Submit
    • C:\Users\Admin\.oracle_jre_usage\QUMM9kFpuacwsKnuoYjvQdWYQsEcJwNBLu.cmd
      Filesize

      650KB

      MD5

      e52a67c1d789b9099760fdccc44b2cdd

      SHA1

      f0dc8a76916d15f216e9818ed244ea194ce56341

      SHA256

      9a9d5c8d376d612b592e3578bfd37866366c2fac1b06ceb1a9b5f58a3df771b7

      SHA512

      783039014007303429197530e07a7df7939b4863bdb1bc5b0d71ec7e3c5f8c5a1088d16217f3a0bd6f28c127460477d4b1204c96bf9adac8c3197a77dd521607

      Download Submit
    • C:\Users\Admin\.oracle_jre_usage\QUMM9kFpuacwsKnuoYjvQdWYQsEcJwNBLu.cmd
      Filesize

      650KB

      MD5

      e52a67c1d789b9099760fdccc44b2cdd

      SHA1

      f0dc8a76916d15f216e9818ed244ea194ce56341

      SHA256

      9a9d5c8d376d612b592e3578bfd37866366c2fac1b06ceb1a9b5f58a3df771b7

      SHA512

      783039014007303429197530e07a7df7939b4863bdb1bc5b0d71ec7e3c5f8c5a1088d16217f3a0bd6f28c127460477d4b1204c96bf9adac8c3197a77dd521607

      Download Submit
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\bBZ5b30FYI7xBYWNdOb6y0VZsSLv6fQ.exe
      Filesize

      422KB

      MD5

      479091e1daabaf2b6c9576f89482dabe

      SHA1

      4db600483c03b8160635ae1e2bee51dfcfc1c32d

      SHA256

      9dd37ddeeac3425b4055d18e7bea78484d924e92fca997a3a89c783c1ed0b91f

      SHA512

      1006dbe935563bbb63bc3bad308386d57a7e984046e1214c50b31749b2b7c15a3d7019e01f9f303c0d098261e718914e967c6d3c251a9384a7c2caaf01259a04

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\DUnM5hm69ZGfHib5gWMuBqi80FvEh41dM8XIiB6K13IJCFyO1xe1QnghqmbHjGLChj.exe
      Filesize

      406KB

      MD5

      04189baf76608a13a42455b3567a8f67

      SHA1

      94cf8b19855ee65c9c28594ead70001b44f8dcf5

      SHA256

      61bd3def7b87f2be7f0e83d0710ba6536b3da42f47a7af14b8cf1a2c860d2a88

      SHA512

      331fe2b247775e2eb85eedcce9845f03b8f64dc62effdf7465cf24f3606a244f3fe655a1619dffeb4560a5ed4e9910a261bd88cb7ad3c8155ebcba0750e12349

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\en-CA\S8VRpopn1XRkUv3.exe
      Filesize

      756KB

      MD5

      df438f74f3d114a662f5bdd6247fec98

      SHA1

      a2c558121e84cd347bcf67b00c71a44db21ce5c5

      SHA256

      f4b674c683b73681b4309804dd80cccf33fc4c06263154c28e85cfbac60a5a50

      SHA512

      a0ea3b2275fe6428ed568acd6d34c62189213374e5dc3d646f09c44502f66c43d0cb197169f6fdff10ef291cee5e1fa7a01944376dd04460bbc8e640d821f643

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetHistory\lfn4tdYb5KXZgwIYQs9oSBISZNeAlA0wGGIAUC.exe
      Filesize

      546KB

      MD5

      948857f9f7a33ae1bfba6254faa93799

      SHA1

      b95bcd9cbb0d242e140f270597f32ce59a995858

      SHA256

      27a104d72766ae50b17a26e6822a95f3e0974af12a2b2461e93df4591314ae2b

      SHA512

      60b1277f62b9532aba1e897def898dda56ab067c87241da69c06c2d76e215edeb84573f030c0783c31aacb2e968a6f281f9d39e45d7596f1bad673f7a91b1136

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalCache\dFodllo5pheIAkBNFUvbNDPEHYsZcsysa3EycU99nPyPyYMpb1emqJGI.exe
      Filesize

      476KB

      MD5

      7ddf2d05b9ee1329f9a5871fdecf35eb

      SHA1

      e3cf6e156f6dee8503b315e613f2b943fd69f63f

      SHA256

      1e864f082f1d7bf403217013dd1c4f8508857419ca4c1d7fb8f795daa09c2d3c

      SHA512

      9093052eaa6bfc4f932e20104620c2508ce5484dbaa7990185f608e0e4b10ee6cb2bce3efad600e3966cd2f72d1b9bfd5a4bd88125857498d6e1a6295f24c701

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\9ZLE1k0BvAJzWqzvLb1JkEPAP4HqPGz2QSAzHvfx6DkQ3MAJJQpeiBQjIUl5QI.exe
      Filesize

      732KB

      MD5

      c6393aa89e47a96268d345b58ba45b86

      SHA1

      904dce73bcf8edd2c5179a5664b3efa3378c21ef

      SHA256

      39002027a7b6f603ea209da338eeaf908aece24f59dd62293305a14abebd95c0

      SHA512

      2ec1534b3fe5f6bf53b05ae85b83a294ea512c8958fea828366dd94242adc78f94086fd209dba37413a7b4e5993b49cc4bfe63103ed02a11e3b6bb40758ef63a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\l2FBL4aZ6nEbHP0fi8e68dkpCNf3hDs3kHr.exe
      Filesize

      680KB

      MD5

      77aa2ce0267c8773185a3df622636b0e

      SHA1

      586802323d9b2c20c50f27b7b92f98cf5d681f63

      SHA256

      899499037ebfbd440f7c6a69678da272e3661f4c2ec05b224863edf9da275f9a

      SHA512

      4616054e1f363a1b34f464ba4a75dea0083b91897cfdb6f3e641a60ee99efe7d485b499a8a089a9acd1353ac80f3b606df0003b564da6e271a2647d78c6f850e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\1dva9nQupIBLvdq.exe
      Filesize

      739KB

      MD5

      99cfc4a1ec55bb112ec52e77c3e8445e

      SHA1

      10dc9de7e8cc48997d3b815c527a164b5b63fb5e

      SHA256

      71fcf539b40e5f052fa42e509bcabafab9f73c05ca8f940c9e677c7359c95c23

      SHA512

      fb57379ad7c67ea8b38634f8f749f370268573118bd1ed1bddbdc11ea714a1095695ddc3dfa64e284612c3fe1dbaa9296f4f3b74e970d04bafa1e1f0465eacf7

      Download Submit
    • memory/2348-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2348-152-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4020-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4020-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4060-145-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4060-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4060-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4060-134-0x0000000000000000-mapping.dmp
      Download