Overview

overview

10

Static

static

62d78ad3b7...d8.exe

windows7-x64

10

62d78ad3b7...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8.exe

  • Size

    1.1MB

  • MD5

    589e542e797c5853842d692221855347

  • SHA1

    180fb3a204a3b6b54e349de423be054affb2aecf

  • SHA256

    62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8

  • SHA512

    34a62809c8ae47cd988f80565492346c87a30ce13781dbc9c6a12ce93e17925ea12458bc6b384c0da905a249f0c3275bb9188b5df9cb8fa912aad666d7c4429c

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 59 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8.exe
    "C:\Users\Admin\AppData\Local\Temp\62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1340
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:600
      • C:\ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
        "C:\ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1828
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:952
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0xc8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1612
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:288
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
            "C:\ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:564

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
          Filesize

          2.2MB

          MD5

          fc0891c806cc0e8feef8ca6b63e0c39f

          SHA1

          f4c4f7acddcc0fac6b0b35312a28df67c40824ad

          SHA256

          d1a9e67dd6d14e0134f48900e373ccd37c29eeca81932c48a5399d4465dd3008

          SHA512

          af5b38c6c172627f4ee46ac7aefbe918e1748b7b234bf9b2f3385a897b2bdacc908253d90eee4cf0530c6130788c98c341f7131077132c253030d656e386f175

          Download Submit
        • C:\ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
          Filesize

          2.2MB

          MD5

          fc0891c806cc0e8feef8ca6b63e0c39f

          SHA1

          f4c4f7acddcc0fac6b0b35312a28df67c40824ad

          SHA256

          d1a9e67dd6d14e0134f48900e373ccd37c29eeca81932c48a5399d4465dd3008

          SHA512

          af5b38c6c172627f4ee46ac7aefbe918e1748b7b234bf9b2f3385a897b2bdacc908253d90eee4cf0530c6130788c98c341f7131077132c253030d656e386f175

          Download Submit
        • C:\ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
          Filesize

          2.2MB

          MD5

          fc0891c806cc0e8feef8ca6b63e0c39f

          SHA1

          f4c4f7acddcc0fac6b0b35312a28df67c40824ad

          SHA256

          d1a9e67dd6d14e0134f48900e373ccd37c29eeca81932c48a5399d4465dd3008

          SHA512

          af5b38c6c172627f4ee46ac7aefbe918e1748b7b234bf9b2f3385a897b2bdacc908253d90eee4cf0530c6130788c98c341f7131077132c253030d656e386f175

          Download Submit
        • C:\ProgramData\Microsoft\Windows Defender\Scans\kXhaZTEoOcHSJSS9.exe
          Filesize

          2.1MB

          MD5

          b78bb035c41eacef6cd6f31b1ce8396e

          SHA1

          dc7adaf6ae177b1b2fb8edd4cbfffca2280d13c7

          SHA256

          51563b485a1efaf2cb3c0e24d022105ec13f59e93d6e1caa31777edd45b87b8e

          SHA512

          e237f1299b3abe680678506e49dff3eb73311afcccd0f4469b0a99312af6552a0bd2fd11fe5a1382efa47a2da26821aa4872f9872411971b41c9732f11d3f7b2

          Download Submit
        • C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\es-ES\mpmkfPUlL6M7RK3aNG1AgS9XL.exe
          Filesize

          1.9MB

          MD5

          c872eacadd628cd72640ee3682c7a903

          SHA1

          18c39ab128f419172aa73d1e0800e3ae75602f3c

          SHA256

          221e374303af04e555bc89f06ef84aace21789611b6f679d00175752833058e7

          SHA512

          0934e9577fc216c7463928141dd74536852b88cceec698031ccabd0e8be2859dd3d9770c5f260cde452294c6b5adb932202d2b07c4aee8e07341925c6e1ebb25

          Download Submit
        • C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\EURLi0gokfdWKFJJLWQmUJAojygRWrH.exe
          Filesize

          1.9MB

          MD5

          629353339768702cdf7ef35dd6040ae4

          SHA1

          6d7f7dbed5e9ecec959aa9dcb949ef991d5185b5

          SHA256

          3e415359fc01f18685e78ae7b5bc761f9952accdaa51b26955f44969aa478119

          SHA512

          83bac141dbf64d2b8471b967408c750384e82141cfb9f8517c08fd69b681c01eaafe86b7944ac5745b530066aed7b7b8dee1631c6254a3e869ae2dcfa1bc5c55

          Download Submit
        • C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\tyyG0IUMyALnzKvQAIkufCmLpr8ft.exe
          Filesize

          3.3MB

          MD5

          0353df1a5ddc2dd2e97fa44f601cfd76

          SHA1

          ebbc3d9caf62989980b5cde61070d62686c26b81

          SHA256

          2ea759b3548d3a1f26d109838a74417660b5bf63ed4b7cca05766d1fbe325ada

          SHA512

          61dcdd8666c94dae254bfbe258134c42f6a0f0d9eab13a82b4fad1cf66907a35df79c182baf7a5e937181d451e23ab81efecea69f65bf7c29a9ef8759ce7b483

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\rtfZ7wiOAhl95I6.exe
          Filesize

          1.8MB

          MD5

          c026c722809b274a3c095080e413fcee

          SHA1

          18af4633cd8aa97646cf17135d786f8ff160c719

          SHA256

          f371665baad6a24f383956912f48a7ea1b04a9cd181f2a27f478bc80e892eefc

          SHA512

          45080139e4caa80981740780e02afeb66b02e9363c8b428d81c7d8ff20a3b739625542f655cbb03767b30636ec55ebf4967f00d507b4335631dfd8ea8fa57324

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\wsrZ8QeGlTPxgi72xVxIJaeCqLbyiDa4B6A2.exe
          Filesize

          2.2MB

          MD5

          4541419e471c2d7c3eb1a50f0072e5f5

          SHA1

          a4a784e0aa341534ab751a6871ad3b13e2ab61c7

          SHA256

          dc56e67d3ae292a5f073add7303123b9e67786a768e06caf643a83d06122c221

          SHA512

          9018af5d30e4b9d4de2579644e55a06b7e7729041513865ae537827f465fda751afde904e103ff61626f7996b82b444f116c7dfd85c2bc619604e885666b9da3

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\iaIFpW3AKlOdIiSCzOJIxc36L7Jpb6dIwQTmCaMhq94ehMlNHKEVfQvItyTP3MhFngQtM.exe
          Filesize

          1.9MB

          MD5

          70a06e9d22e5f0421c181f73e177d547

          SHA1

          3f5de0918feab7b6cf47de783ab87a58cb794ff7

          SHA256

          ef7e0b8e3eef04c90e0627ba0f61af3499754ed5712aa58e69611946743ed72e

          SHA512

          4fea67a571b5d410fb8aace0cf68a3060277c791d5607071dbe59ed0b8c10789cc72b7a3a73ac236ca41d717e48c51b8a22874105071f0fec956967fc8fc747c

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\MgbZsF73MvQswHbhcMVG4l4qB4ygm5f.bat
          Filesize

          3.4MB

          MD5

          59083b98adddef7417d5a627015f55b6

          SHA1

          f9102a3b719acebcb57b1fda768684c5828da585

          SHA256

          0878250765a333716a00c5f892934fd4d798afce3289397d769154fcab909123

          SHA512

          9a394065b8d5b90a40f23e95f48d90677956dc5290915500c817e5db1cd2607fd337b42c191064a57e8fad6113a1fe983eea5b0bfe38e7ca3277d057857b5277

          Download Submit
        • C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Zcpac6eIBZ0iTiBsP21XR0vCc3GMFPEU6amamY9lnCie64EBBTnT.exe
          Filesize

          1.6MB

          MD5

          76d38d35e77a246d0946213d406aace1

          SHA1

          bb4a58f52954b244ca6f2a3b2799f1c29ae44f9e

          SHA256

          6ee547441fd59a53331ce64c9790c96fde9c7a99e007e13a01fd39523bb767fa

          SHA512

          4ed393754a2d9db4dfaf82dcb1516d42f8d732ba96e3743bb1afc8a97cfc6b89a3cac68bf4fe0e1a901ae98a1315108579490c97ca3f8809910aa825d93a84dc

          Download Submit
        • C:\Users\Public\RRgAmpxZ9KEQRbFLVKsFhjl41n.exe
          Filesize

          2.1MB

          MD5

          12eaefc12f0a3e8877bcfc5ec77a39f0

          SHA1

          fb8912dfde91ee4543d2fb34eed134550f3ba486

          SHA256

          d177e51c4d67ef9be23ff07f4de383534d8b450b49016c534231f9346633dccc

          SHA512

          2e04255c2826212db4188b3d39052998efe92b254b15204d17df993d9ef2ef50c7286ee85c727e53a72045015ead18d201f26ce675024688194ad8e639ef950f

          Download Submit
        • \ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
          Filesize

          2.2MB

          MD5

          fc0891c806cc0e8feef8ca6b63e0c39f

          SHA1

          f4c4f7acddcc0fac6b0b35312a28df67c40824ad

          SHA256

          d1a9e67dd6d14e0134f48900e373ccd37c29eeca81932c48a5399d4465dd3008

          SHA512

          af5b38c6c172627f4ee46ac7aefbe918e1748b7b234bf9b2f3385a897b2bdacc908253d90eee4cf0530c6130788c98c341f7131077132c253030d656e386f175

          Download Submit
        • \ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
          Filesize

          2.2MB

          MD5

          fc0891c806cc0e8feef8ca6b63e0c39f

          SHA1

          f4c4f7acddcc0fac6b0b35312a28df67c40824ad

          SHA256

          d1a9e67dd6d14e0134f48900e373ccd37c29eeca81932c48a5399d4465dd3008

          SHA512

          af5b38c6c172627f4ee46ac7aefbe918e1748b7b234bf9b2f3385a897b2bdacc908253d90eee4cf0530c6130788c98c341f7131077132c253030d656e386f175

          Download Submit
        • \ProgramData\Microsoft\Device Stage\Task\ZV1dlqCRSyMJBZlkh05xKehlQsYSxXZwCO7m9i982yt5hMqHXha9Deqh.bat
          Filesize

          2.2MB

          MD5

          fc0891c806cc0e8feef8ca6b63e0c39f

          SHA1

          f4c4f7acddcc0fac6b0b35312a28df67c40824ad

          SHA256

          d1a9e67dd6d14e0134f48900e373ccd37c29eeca81932c48a5399d4465dd3008

          SHA512

          af5b38c6c172627f4ee46ac7aefbe918e1748b7b234bf9b2f3385a897b2bdacc908253d90eee4cf0530c6130788c98c341f7131077132c253030d656e386f175

          Download Submit
        • memory/564-62-0x0000000000000000-mapping.dmp
          Download
        • memory/564-68-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/564-78-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/564-82-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/952-55-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1036-76-0x0000000000DD0000-0x0000000000DFD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1036-67-0x0000000000DD0000-0x0000000000DFD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1036-66-0x0000000000DD0000-0x0000000000DFD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1036-77-0x0000000000DD0000-0x0000000000DFD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1340-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1340-56-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1828-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1828-85-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download