Overview

overview

10

Static

static

f7a2b7438b...da.exe

windows7-x64

f7a2b7438b...da.exe

windows10-2004-x64

Analysis

  • max time kernel
    87s
  • max time network
    88s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:41

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe

  • Size

    1.4MB

  • MD5

    d238ae7703ab2718b189586a0e5c6bd5

  • SHA1

    4a9c59150e4682c5749902a1c90da24274a5e369

  • SHA256

    f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da

  • SHA512

    8c6a490ea6cbc93f45bb4d45d02da4152d50aa6af52e3c3bccc51058389f16ea083004c7cce6203ebd59c3c738343763707cb23a9417e3f28b0149169e088b1a

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:648
      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\4csZUe6KNk9.cmd
        "C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\4csZUe6KNk9.cmd" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
    • C:\Users\Admin\AppData\Local\Temp\f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe
      "C:\Users\Admin\AppData\Local\Temp\f7a2b7438b30169234c8c6500c9c5b8a15e40f5f929aae48e69961dd9d8918da.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39eb855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1668
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\4csZUe6KNk9.cmd
        "C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\4csZUe6KNk9.cmd" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3032

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\JRj5ZnUlAI2DRkKO9RxGxmtmKlQvu4NOpi1j4F0xr5WeUQJ.exe
      Filesize

      1.6MB

      MD5

      da4000146de00ca7a7acc0de46708fba

      SHA1

      5124c5e35b20051e2b99f2bcfa756bd868ce49ba

      SHA256

      5b5b418ab69c5b3bacd68fdb732bbd962e5887a03c818ae174cfa9307068bd9e

      SHA512

      3bc9d45300fc2fb349706b2531a2a4e86972aff468c1ae37a111a258895a16f3c16bf0c109e17c3f09663e355a625f252353a16b98d3b24d46fa4de560a06ce2

      Download Submit
    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Config\mDocuYhDU58MAWqbnY6qM5PAzhrUH0JQyqJWN34oYDe2NVdugRXJ8MhXKPZlhCjO45.bat
      Filesize

      3.9MB

      MD5

      888d8f3ef0d52cfce633e4691576cd40

      SHA1

      860f74433672bf2ec220c18f90bae3dedde67db9

      SHA256

      41ae1aa80cfc18eb1e0fb5a3386602dd2e45128e044d0bb93dbbefaedeb6ac05

      SHA512

      c7ef1a7d1f3eb2b9b714dc83c7631f8ae3d49fea9f4b4e0056d705bb8b2c49e5a93ce8652574b8a61c76b1457669b50bef6074fe70dc06b7e4e3d65f94a0a3e1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\4csZUe6KNk9.cmd
      Filesize

      2.0MB

      MD5

      eb4dbb7fadd0905309bc3b71a4699c1b

      SHA1

      4fd5ce8d1c5ea51b8a7dec27bbfd929b1030769f

      SHA256

      f7f52d3744d0e7facd0fda45593ee9fbfc3a6dd950fe9407c12f3bdaa340ac41

      SHA512

      01df4a3138fc29f9047aee2c25e6f00308dc3c5265431cd408109b266cd58a07cdf34ce43ac2d0f4b9701f375619612dc8346b359510330732eb73fc30f549d8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\4csZUe6KNk9.cmd
      Filesize

      2.0MB

      MD5

      eb4dbb7fadd0905309bc3b71a4699c1b

      SHA1

      4fd5ce8d1c5ea51b8a7dec27bbfd929b1030769f

      SHA256

      f7f52d3744d0e7facd0fda45593ee9fbfc3a6dd950fe9407c12f3bdaa340ac41

      SHA512

      01df4a3138fc29f9047aee2c25e6f00308dc3c5265431cd408109b266cd58a07cdf34ce43ac2d0f4b9701f375619612dc8346b359510330732eb73fc30f549d8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\4csZUe6KNk9.cmd
      Filesize

      2.0MB

      MD5

      eb4dbb7fadd0905309bc3b71a4699c1b

      SHA1

      4fd5ce8d1c5ea51b8a7dec27bbfd929b1030769f

      SHA256

      f7f52d3744d0e7facd0fda45593ee9fbfc3a6dd950fe9407c12f3bdaa340ac41

      SHA512

      01df4a3138fc29f9047aee2c25e6f00308dc3c5265431cd408109b266cd58a07cdf34ce43ac2d0f4b9701f375619612dc8346b359510330732eb73fc30f549d8

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\EnyFyfJ9XYm7KxzP08w6deH.exe
      Filesize

      1.5MB

      MD5

      4c108d57d1182b2caf19393be2a1fe54

      SHA1

      240a2e42e8d10bfd9db5e9d707a2b139f12b53b8

      SHA256

      d6382351fe9a3757fb20b6e30ae21f412638ad5617fed3768184439c7ca58d71

      SHA512

      632b86e82464a1691a4dc465e2d567c7eca6118db09e6f4fdbee8ce02a75f108c479652295a3d7898c1ca45723336fe5d85ca97f9716ba0df359cc4d47906aac

      Download Submit
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\rpGStSSXe1LanHzIgtje2YloNwGlAlgrg5Ikhxkg4jbt5eyp9VJ8JRPsc.exe
      Filesize

      1.4MB

      MD5

      adb9c4dd57ca08a2d856766140c2a909

      SHA1

      814e514dd5bd0ec8c6aa5822327ee1f5feee13d3

      SHA256

      98a2d818bae6d361d6fbe0feeea97ae63378e037584380184dcfd7d9443bbfe0

      SHA512

      b8be9a1a4e03ae7156b631b46b85a46f6bb7a996189f50d0815bd5d39d0d4fc631768f727093424c4fb86cd61f3d2d1cb248ac59efece3ec331f851acfcd1ae2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DldI5iQZsXTEeQ3tQdyiwp7lOBIq1qmUCW7kHnrI9x2OwglimcX.exe
      Filesize

      2.1MB

      MD5

      368ca8ff414257e005ce837c41213698

      SHA1

      c33615366cf46b236b26e401953ba0bb07e7dc18

      SHA256

      94020fcbffb5247205d2876551e928507c12bcac11d05b101b40f21288cb80b6

      SHA512

      ed98c4d1b3720a6d8225b7d0ce1ed373aab961817d100f908716c825689a82aa099dc9b0eebac75f76427f4aeae7c20b0606a64d2cd0acb386ec5f474884a932

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\en-GB\LjwrBLa7xIOs4aS7BAmyhfejQ8MGRYWBvSesEWBOLhJeilYp5tMkz1SvcPS2WyAYGFyfI2L.cmd
      Filesize

      3.3MB

      MD5

      8209d44b2c5906dd1a9bac19f3c22f97

      SHA1

      33580b2306acc9f03687c138b0f974dc852b8c90

      SHA256

      67a66bb1b9fedd54b0080e48cd205bec9430c9544faec50873021e08ce2d7d6a

      SHA512

      b02c472a70350423d3ec23c59d22b59f315ccb17a0c8845380df8505dc12d387258e2c48590980520fbac89ee2ac3f2f47a201fb080ebe4c997a71aab67f9f48

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\SystemAppData\wy2IHa1cMqXd.exe
      Filesize

      1.7MB

      MD5

      f4e79009c141aade40cdeaff178eab3a

      SHA1

      8dbf844e615a72d708c4754dd156f8a1d8506373

      SHA256

      be5f3de09c419e39b70640844feb062eb41b054fe5f5f203a8f7f8882f0a5864

      SHA512

      1ec4db2ea88e6b02161800ef84f9469ca91884861e5ba3533d739519a37e81b02c0f7a4f2f538c2a0c218f8e621beafb33122bd2d000a5c1813942c598f458ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\LocalCache\aiQswX3SbXNIPjcZwwhlowiIOCdwL.exe
      Filesize

      1.7MB

      MD5

      2e63a1fd2173cc878c02ddc8867ee99a

      SHA1

      0bd1c1dc41708e79c22ffb43f586378aa99af1d1

      SHA256

      fdd61e242988a8e5c99cdc226faaf3cbdfd2787cbb52be5fb8e28e8ce2302c95

      SHA512

      d0ac914114c637516615c0ed62519641d3e6f76785a5fb6a23d9c3e3b4edde20024335579c3e4963ffcf740f4d2f65dca6ef8be1190abd56ac1f5c72495946e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\INetCache\nKoltJHn0bqY4PJWDxeiLzNGU5WM1RqOI5vwhMO1RnzBoybddyX3kMBWA2yCv.exe
      Filesize

      2.4MB

      MD5

      4f3640b06e2ecf54633ceddd0b2b9b8c

      SHA1

      f9c134c1c1a9d0fa1bb2d07b4724309a5bb40295

      SHA256

      bdb4b9780c2d3895990aa640c46ed53f9516f337288125e831d1d9042859ec25

      SHA512

      14e0705afa852685225465d895016d7273ab3aee49066e4c40a3cb8fde1e49ce6782f0e3de0536cbcd1576419e20da15be6d489f07daa7a16d3849b71028dd0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fc2412e7-0d03-4bbc-8ebd-8a781652b8a7}\2RqV9VWxnwO5rgvm9Oy6UtDQnCgnZ7V7HmcZQkPul7bQKesFbcAUBNM4bd3Zkp4.exe
      Filesize

      1.8MB

      MD5

      ce7f5df6baec89d9fdf5ea65c9b3321f

      SHA1

      b69dec04ca0c065fde7c74b14d86651c5080a277

      SHA256

      9d52b73401fd10422bb5ae1f9922c01494f82c7ef3d7fc74d88ea691f7b3706a

      SHA512

      8d0d134e18cf0459fbe13eb94c52fcd642253c8fa6983898c5ad3a1d916452a89e383f15e783197eabca907e9056a5c213f57bca0ef956bf7516909db93b791d

      Download Submit
    • memory/2476-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2476-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3032-137-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3032-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3032-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3032-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4376-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4376-152-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download