Overview

overview

8

Static

static

fa9a440db8...c6.exe

windows7-x64

8

fa9a440db8...c6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    201s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe

  • Size

    518KB

  • MD5

    25e285099137741bcf79b1f1d856642d

  • SHA1

    93b9532d874aeca9211066c6cc726d062eb092b3

  • SHA256

    fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6

  • SHA512

    14d1a10fa565c94964213fe908b256e385ac8b9ba8f18e8b150338e1fccffe21b640f30a7f9189c72d070b6c8fb84dbfe767dab834b20b533ea51baa0cecb584

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe
    "C:\Users\Admin\AppData\Local\Temp\fa9a440db8225b8f996f478afeb0b7ac395f88ff13543511254e4af8051d0fc6.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2952
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39aa055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:460
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\sQJ9PIePSGW64UNZySALAKeL0JR8PobGpj386gqim4SSq.bat
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\sQJ9PIePSGW64UNZySALAKeL0JR8PobGpj386gqim4SSq.bat" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\ClipSVC\Install\eOAZhHSuXG0vwEDLsFSvn5QepYx6Cr2m8rrcj08HxSwjVNJur.exe
    Filesize

    702KB

    MD5

    08719e5ce80d22f57bbcc2ae591212fb

    SHA1

    dfca090b25407a2f8ab9c9e7e02bef8ad41a5801

    SHA256

    fcd83391f4fe5e5096bafd1a1850380c60be08357eba332f061ff3673ee10b58

    SHA512

    34ff79b82674cd412e5b1fbf01bc0f987b237f8e0c59bef458e8d60f67bee936cd02e7e03be3f856bffc4cf86598d6c95306a16290a58746287e17710153936b

    Download Submit
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\OuKA1qbFzF8nFKYVG837L6UOCl4vKlE6CfELH66PRnYVWMgFaRu4nGGhtIicmNJ.exe
    Filesize

    740KB

    MD5

    a6ee7d697a37aecc4bbd85810efce0e0

    SHA1

    23bd18a79f91ed7e58c032d39be75b12e478a2df

    SHA256

    531afd9d6429fe407a6f0835c537658230d8dad39a8299576352e7f05fec9948

    SHA512

    d1381481296f2a89fb1aec77a9326835e716342d0fd5035f90ab9dd6a0a54a650524715a0f9cd6982afdc90474af5782c074ded1de9c6fb59f36b53d4acb7c8c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\VsUfhedaWqnZwdVv4q37iWono4uhH8RwuDlGsQWy3SDl.exe
    Filesize

    1023KB

    MD5

    de60e8cbb59a4f426e1eec3d897ca1c8

    SHA1

    b0ecc8b9e7d12fb2a1e08927bcb26202f9226a69

    SHA256

    4b855a9338d758076cc142422dc3f6aef1f1a351cf22765550e14fbba0912efe

    SHA512

    9cb0e7de6058d45f29c100fc4a53efa78ab4ba53ca23457a0baae34fbf51b5e304ba3b48d4bfa2e78652ac55e6af97ad9ece54523611799cbb28e046552bcfb2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\sQJ9PIePSGW64UNZySALAKeL0JR8PobGpj386gqim4SSq.bat
    Filesize

    752KB

    MD5

    e649003d57ac8196612b23235b6a70f0

    SHA1

    086da99053824f88941dd969abc74167110115ff

    SHA256

    aaa3656937985784f754240ca75ef0e50b8b408e06efbfd37fce9b75de68dab2

    SHA512

    4a2898cf3506781a9ca63f8cbd1e9f3417f0001bfe8d3ebeed9e1971d4639e83734261665a9dd8fb2ec3a800f1df9c7c306a9dffaef4d0d7d3e7c61af32cd6ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\sQJ9PIePSGW64UNZySALAKeL0JR8PobGpj386gqim4SSq.bat
    Filesize

    752KB

    MD5

    e649003d57ac8196612b23235b6a70f0

    SHA1

    086da99053824f88941dd969abc74167110115ff

    SHA256

    aaa3656937985784f754240ca75ef0e50b8b408e06efbfd37fce9b75de68dab2

    SHA512

    4a2898cf3506781a9ca63f8cbd1e9f3417f0001bfe8d3ebeed9e1971d4639e83734261665a9dd8fb2ec3a800f1df9c7c306a9dffaef4d0d7d3e7c61af32cd6ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gu\YC478YufrPI3W59OEdTWrbBcHSNzgfYGjPi8l7yDJh4K8fIaD.exe
    Filesize

    864KB

    MD5

    cbd018c85a2fc45deac3b9a019b1f461

    SHA1

    09db0b50257cb365c11643d2ddbdbf1c27bfb2a1

    SHA256

    fd3d247b7ef332ddc0c4758bb7a65303c9f26ea579f918896921944240160196

    SHA512

    61d973cb1f4ed4a4ebd9a32e7aa13c6c1052b99f3be36302483c1880370b89ec81ed4bfde267dada04a1e90fd6a0dabb7e6430e888c96eb313aeb6b3791c2f66

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\input\en-ZW\2tXDqmy0O1PownJ9uepmE3M9V7mrKbtwo1MsP.exe
    Filesize

    877KB

    MD5

    9d6408cdb1af9a52feed31d99bc682c2

    SHA1

    41610ca889dd2bdd3dd3480130a51ea6a6b154f1

    SHA256

    f406b83adc0adb73260c6e73b70b8f6fb5e9e5fe9761dd86d4f0a3ebc860740f

    SHA512

    38d3ea1d353255a4d60fb1e2efccc62d6b87f45406ae79b00849152069630525c3ec3ad42edc3df724c5a4874bbd2f467adf56e9a4363edb127247c9e4b1b26d

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\INetCache\OcLiOgSmtcpr2fImxO6TMpOtw5tPHWarxyXugu.exe
    Filesize

    840KB

    MD5

    09e07d04d0aa710bf15c856b55687a61

    SHA1

    6734a1c4b3ddfb1573728e420f2bff28b3fc43ee

    SHA256

    0b357533ed5f6ef90376f3f2712e91aa0d4148649a37a00a96238fcdd28e6df4

    SHA512

    532d19a102fef6adf8018c285d33f69fc1fa681a873943eb2ef5d7c161db40dc612e027f12a98966db6b2f52d1af4fef9e0e08d04d44914e503894144b0d2267

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{ab795a40-059e-4552-b627-00ce5c0e98ee}\EWXi8eY96XTPQsi88SWk8Woq9Ygkc5zT96B0JR.exe
    Filesize

    762KB

    MD5

    0dfaca83236e94f763c89908ea986f52

    SHA1

    21b149566c03d23e48a4725fa5bf75572edc6d98

    SHA256

    144ede584dd7631a17251be728ab4e020632571c13ac261f0c3287462fc9748f

    SHA512

    15874ab254eb8ba5326d9f5045e88bcde3dda45bba7fa422d8ed2da2e127034a9652916c7e3dd200c673a8e8dc53ac0a09450a0b1c2fe10e7483f8fa6b24302c

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\INetHistory\zFrLBYSI0jdRr7hRL3bfpZ.exe
    Filesize

    737KB

    MD5

    0edc297a7a90f89286871592f30967e7

    SHA1

    c0b4b06e380f65cb4cf77bc7212ecfa27a40a590

    SHA256

    4aa7c3864c5a7219d15b49f950624635d000a4ac521aadd33114a656047c165e

    SHA512

    b6cbd1ed9a4f9903b134e272eb5b3908c41dc547b672b2d1845d282b52e414f318c2c8f1b4d5bf50f2144ae763126144552500dcebd13e873aeb8ea867795d28

    Download Submit
  • memory/2952-132-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2952-134-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2952-133-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4080-138-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4080-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4080-147-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download