Overview

overview

10

Static

static

62d78ad3b7...d8.exe

windows7-x64

10

62d78ad3b7...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8.exe

  • Size

    1.1MB

  • MD5

    589e542e797c5853842d692221855347

  • SHA1

    180fb3a204a3b6b54e349de423be054affb2aecf

  • SHA256

    62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8

  • SHA512

    34a62809c8ae47cd988f80565492346c87a30ce13781dbc9c6a12ce93e17925ea12458bc6b384c0da905a249f0c3275bb9188b5df9cb8fa912aad666d7c4429c

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\O7zAInMXQGiPisjw.bat
        "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\O7zAInMXQGiPisjw.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
    • C:\Users\Admin\AppData\Local\Temp\62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8.exe
      "C:\Users\Admin\AppData\Local\Temp\62d78ad3b7bf9441610d114bfc28ba98e3b837ce31418f47938609ac842b25d8.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39ed055 /state1:0x41c64e6d
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4404
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\O7zAInMXQGiPisjw.bat
        "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\O7zAInMXQGiPisjw.bat" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1980

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\SmsRouter\6R16W2UTwBm2kxfUIQstjTl86aMnO5qqPGcvtNxF9jF4e1kI3jq9qJ49oSJ428U2jEM.exe
      Filesize

      2.1MB

      MD5

      97c8edc915dc025d778620cfe72bb1b6

      SHA1

      1a10fb0a6a82f3020def01989e2854fa95065908

      SHA256

      9106f0f22ae5782a22752b0ae5ce4393cb6b318b8b68aab9f0553510d994dfa5

      SHA512

      15b15c1c5c2a51b7223fb5c562f09df032bd3ae7c175977b1a2e034d46e1d286fdb16bca6bb6d52b95f8a47bc92ec3b8843618b591e2a1d5a0f3157a7441d10d

      Download Submit
    • C:\ProgramData\Package Cache\LgoKNNdADLiaB8qDtorSz6yrt4GowAFeJpJ57krtSJdTEMmrPG.cmd
      Filesize

      2.1MB

      MD5

      0aa83a2f9e76afb5dfa00473e63b0332

      SHA1

      cd880e855548d398700cf2eabc22f6a1dafb3870

      SHA256

      dabd984f38166a0d05c5b3c9d70b35b7c90c535ea7c1a40612d7c8ca4fc48a63

      SHA512

      181a077c1c68c6e1c30c16524d4d653da5e2d0febb8f47c22f03c33db4956cc76cf31c31093d6583c34ab0439a35c4fb57c26b0e5037b26b3add65330230318a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\2udpIJXtrIJP2KiFqdNwC1FBWynW9UF.exe
      Filesize

      1.9MB

      MD5

      a595696fae7b435f2766dacb0a9ec8b1

      SHA1

      1cd49fbbd4f86d546b9c9fa9107ee90a4fdf6603

      SHA256

      e1d14d07f80680fc47208b89d0b50e556838770449e23a772703cb7307faf761

      SHA512

      cad7be0176374bdc7ddb9d1e64b0bc257f4fdf7c2ebf9e962c65aa8f7db287fc20857ba737f0f8841a4f5a731dab11fa400f5b66bdea35b1e40e7a8fd13a063c

      Download Submit
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SafetyTips\cc8KUDhIIFUfRT3Cc2MQfrXN9CyKUW7F51Tj0T1nvsqyKs2I68.exe
      Filesize

      2.2MB

      MD5

      a51ef8267ff90e6f82f7061086c0d83c

      SHA1

      dd09283af30b20458945688b480ff5c9246101d3

      SHA256

      503d7bad3e091bfa83fc567b70f86fedd67e2819487eebd61ea845db8d051fdc

      SHA512

      c2ea26112917aaf7a50bef7f1da69598879dc372faf85ede90cb8c8ce3e73829350eae174f548f626fe416f25858a20325b2555e779acb9ba701c817d2da8bd7

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\IuSpvtlHh9eS0oMBkDO.exe
      Filesize

      1.8MB

      MD5

      8e07ee000fe2a689f10e738b3a2a39ac

      SHA1

      50f3cc110b1849d7c55ce8550abb7cc63c36b4b8

      SHA256

      bffd374e12458effd8a068d1c8d899d9a8d3ba6b3908aa885fd12055271f21b7

      SHA512

      6a712062497e8d31df1ee4a34bc10fa689a3f9e6e1b51db7c73c3b07d697f28f72760aaf8ed040158d29f7977761ca4043245561bc88621d28034db5d88b12ff

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AppData\r6MBOQ2DBOw66yXmejLkK6Q0aYGLS8Wq27S7xc.exe
      Filesize

      1.2MB

      MD5

      b9c30644823653d1621a6d83790f87df

      SHA1

      56b2b3791b82494b7c6e43d47ec671061a13bc5c

      SHA256

      46c21b8c32c020b1e9729520c922d020f3841258e4e1f69248e20ca7274fba59

      SHA512

      4c77def98f6b792ee7531a304a425352812f9a63969b735471d40fa9c72a5be487bf8ad6d4aa6c8c65beea60be027603085e5508c04effebf04b44c120fee13e

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetCache\uQUBaIS8hXjWhkrLSi3LlpwqoQOmYrqlkdvL6FoOtySctGX3ZM26JD1a2gas5an.exe
      Filesize

      1.5MB

      MD5

      eeaf083a894f0e5bb4e8c1d29fed5431

      SHA1

      205f9955040218706cb548010f3eaa7140bfd80a

      SHA256

      4ef7304e9da3da824bf8dc4f521e9bd8e6c8a7c027d786989544bce4686ff591

      SHA512

      0960953195754baa4bec8a703d89f9b8d77110b1a1aa538751edbf14f1e9e10fcae9288cc119b3cf706199637d6b55a06abd2a2f35e4a5848717e86d59b5426e

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\q9f1JqnmJtjstXChpG9wnYoJV3wCEplG77N1yPffdqpLw7Z.cmd
      Filesize

      1.7MB

      MD5

      fbc77f1dc02688ddcef947ba20a19dbd

      SHA1

      a9de45c1ee8de01db8ba7bc71331b2e495ec77c2

      SHA256

      6aa92f29b110bd04dd73dd66b549dfb616511d7d7fc857efb34d3af11cdf291b

      SHA512

      97dee54cbba201502fe770478d49c0e23e291f43d072751047d680f6783e1441c538df97fbbe980b9282e7f9a50bdd5e1e5860e3aadc3b1670982ea7198767f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Publishers\Frl9Vog7LHROoeX.exe
      Filesize

      1.1MB

      MD5

      806e034d77bd0e3ae6d6348fcc030be1

      SHA1

      76ad39534d3f43afde0a0b2fb2d28155a1b0b702

      SHA256

      a1049477c9e02bb7cc75f8096a5f84dbfb85a2490ef016370a69bc6e67aba7a0

      SHA512

      47271d0724350c96b54c743c291febd7e3842e2a0b26f77c3425b2cfd44d877fdad5b463603d11b2b5f17813f21f78745ba981ff24e088805b404b757d973d8e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\O7zAInMXQGiPisjw.bat
      Filesize

      1.5MB

      MD5

      3930648f5881b05eef5265c6157e5aeb

      SHA1

      63dd2dd41e13ff247868cdd943ff942402179d12

      SHA256

      2f6c1a448bbd8dd72a1517878f47e6bcf509f304b0076925f09b4430782319c5

      SHA512

      2afb98e8682fdf64a742bc6ba24e98525b200ce2f408d10c117fb80dda1584b615dd73273559c75a921c5038456c25651a7e25b100acd92ca69e4122cdc1853a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\O7zAInMXQGiPisjw.bat
      Filesize

      1.5MB

      MD5

      3930648f5881b05eef5265c6157e5aeb

      SHA1

      63dd2dd41e13ff247868cdd943ff942402179d12

      SHA256

      2f6c1a448bbd8dd72a1517878f47e6bcf509f304b0076925f09b4430782319c5

      SHA512

      2afb98e8682fdf64a742bc6ba24e98525b200ce2f408d10c117fb80dda1584b615dd73273559c75a921c5038456c25651a7e25b100acd92ca69e4122cdc1853a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\O7zAInMXQGiPisjw.bat
      Filesize

      1.5MB

      MD5

      3930648f5881b05eef5265c6157e5aeb

      SHA1

      63dd2dd41e13ff247868cdd943ff942402179d12

      SHA256

      2f6c1a448bbd8dd72a1517878f47e6bcf509f304b0076925f09b4430782319c5

      SHA512

      2afb98e8682fdf64a742bc6ba24e98525b200ce2f408d10c117fb80dda1584b615dd73273559c75a921c5038456c25651a7e25b100acd92ca69e4122cdc1853a

      Download Submit
    • C:\Users\Default\Documents\SPyC3vZsEe99c9ns9Ajdvp14aQkDUNKyLqgi.exe
      Filesize

      1.6MB

      MD5

      73f28dcda841e8733192e81e3b917578

      SHA1

      e2093d1296a61c0414c4c7f31f60eec60b5bf80a

      SHA256

      95993319c50248974418fa299584b47659f4f81486afd156709eb3d3e2f62242

      SHA512

      8cb57a8a957137d97aabd287d06dc3fb77eb3e21fc726628dd72f5df29fd928a180e5a388cb45db3ba55c51e92c25020fe629c81f58682d276d296e248b7395e

      Download Submit
    • memory/1708-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1708-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1980-137-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1980-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1980-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1980-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2312-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2312-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2312-153-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download