Overview

overview

8

Static

static

1f322bbac8...3b.exe

windows7-x64

8

1f322bbac8...3b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    188s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f322bbac8688707fe451ec0053cfeabd36e2e5270332fe8b506e22d5cf3d33b.exe

  • Size

    561KB

  • MD5

    d6f88a3ae30bf65a923656080b293f32

  • SHA1

    0ed5fec8b2b9aa2f372043f1f0f8a079c6098166

  • SHA256

    1f322bbac8688707fe451ec0053cfeabd36e2e5270332fe8b506e22d5cf3d33b

  • SHA512

    3a5d29eac681f6a289940f66e7e1236dffe119d59cae3435fe7063cf52b2297804ea394eea5318bde4871fe0a0d8af63599e8af7080b6b266fcfb25eb3e26bb0

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f322bbac8688707fe451ec0053cfeabd36e2e5270332fe8b506e22d5cf3d33b.exe
    "C:\Users\Admin\AppData\Local\Temp\1f322bbac8688707fe451ec0053cfeabd36e2e5270332fe8b506e22d5cf3d33b.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2968
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39d6055 /state1:0x41c64e6d
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:5036
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\LocalCache\xJWAbKbadLbZ0V3U0qBkaULdN7p.cmd
      "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\LocalCache\xJWAbKbadLbZ0V3U0qBkaULdN7p.cmd" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Provisioning\privfcrgVcq.exe
    Filesize

    977KB

    MD5

    31ef8c574c9527adb6a88c7e480cd13f

    SHA1

    3e29d197ae85632b69ed20f989bd83830aac5199

    SHA256

    b4a71df8643883afacbcd2f776b2b432c515da033137f3c4deaa9c63e74b28d7

    SHA512

    2fa710396236fcf58b7f810a4c654c94689664388bc8fcc32d2309df6c25218ecf873cdd6b4d926ba3e8239976fcabd16ffc355f3b999887885b44cad6a94b63

    Download Submit
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\OotYluvWyJ2eFY.exe
    Filesize

    972KB

    MD5

    8b9c5608f7eb34c3e09729650da2855d

    SHA1

    04c4a548127a0d9be012782f4f959b73c5654cb5

    SHA256

    9c2f42edf0d7e9ba0121cf85776b495e6375bd623c3363067d2b17b63d65c4eb

    SHA512

    aed608f515680b1386fb0db0ac60b7d454044a1335989f40b3491f073dd4ea38d9bae97eb05c033fce318586a42ea1747bc802fb41e5604313f48699ceda1d5d

    Download Submit
  • C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RPYTAn8omJc18NbU88F1fr1BnQ51gYIHAm0L0FEiFNpySt.exe
    Filesize

    1.0MB

    MD5

    2be472515a8c125a12a66c9346580490

    SHA1

    9a9c54247bfab9aab1a07161b013d53699579cbd

    SHA256

    fb95cec29bccbabf82889c53ffb3fce865d38e1eac474411aab25ce96bf93e9d

    SHA512

    f597bc4283fb23532b3ee63349ea8f499cf467e8091d0e6153804334cd91ab5e9cab5aaf0ace3c2c2f5b7661088079d0a6827fe593861920bc3ff1da6d6913cc

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quz-PE\ttaAvCCgg.exe
    Filesize

    763KB

    MD5

    fc4cdcbc6c955afcaeb1d96dca5d0707

    SHA1

    29583c2247990257d0f558a579542477f9c998b9

    SHA256

    e9277f79456af7b7f93d356cc9fecec2f452ba6ba5dc0d6aef0ca8173428c81b

    SHA512

    dd28eeba87cc59351474ef9d4d693e3dafb5b4204b4aed93b3282cc8525d9a596f577fe7ade3eab0eefe5e7ec0e515ada73380f4615a2aad0f153dc84761fec6

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\AC\INetCache\TRxDqlUN73mofErm79EPIn8xYq4J.exe
    Filesize

    899KB

    MD5

    b00ae045b511e2eb7eed04a2bb04f790

    SHA1

    f96ec36596a61d361afe04f45249d3b6d007f588

    SHA256

    a95bde66ce83739c13a909f2ccf2a34aeec56af4483348ddc06483fd5cb8efa0

    SHA512

    ff2e0563ac2cfa6a937d7d60a6f415887cd1df8af444e70fdb16cd33d63cd9ed07a22ea8481e1921fab41c4cd621633b227a1ae248e53c49ab596dfc7f487d1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\TempState\d1TNmBTfx.exe
    Filesize

    996KB

    MD5

    e5e10f8fb4e845d3171ce4adefc838ce

    SHA1

    45b7f858b22e27b48f8b9035f49b8bd044f848aa

    SHA256

    283e10682fb399745574157e464c15c8e846f4105af84fb976c4539d0221f2e6

    SHA512

    0a96dd42059ce16f015e5c8128078a0a473b58dc54c1a4ccfc1267ca073d37a0d159884dfdb44370485bf5285c97c85118e3e3b8218d3b2d5eda6ea612576ff2

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\AppData\Sgdv7cOh4ciryVqY.exe
    Filesize

    1.1MB

    MD5

    1362b48b3b56fb045cd5a4f9cdb6ba74

    SHA1

    c38ef0675e9f62fad118aeed7305a0c066e8bb46

    SHA256

    46b1e906f27742c58ecf39746806a9f8b1ff1f4650900ea1e378afe36fa97131

    SHA512

    b2616493a0fb9a99c1ca71ee8a2e4e2fffcb06c64de8aefe36b056b07f29df17f6f2a021e22f90a375e0684b121010d12c4eb3cf11308840586e1cb18683c298

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\LocalCache\xJWAbKbadLbZ0V3U0qBkaULdN7p.cmd
    Filesize

    752KB

    MD5

    e4eb17f3c23a216723f4be6ef68127e8

    SHA1

    158c407f6334d922c9848ca9d7806790fd1708e8

    SHA256

    64a99d8aada0fbbe5d6165dbe3bd53ee68bfcaa87378650858ee9689dc41f70f

    SHA512

    920215ddb4821e6a70bf37ee0924af51b6d1020cc7321eb11f25f1cba22c86f25ca8a1932bf5089d791551c9d4a9696532b356ec49a5978fd42b962b396e7a0b

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\LocalCache\xJWAbKbadLbZ0V3U0qBkaULdN7p.cmd
    Filesize

    752KB

    MD5

    e4eb17f3c23a216723f4be6ef68127e8

    SHA1

    158c407f6334d922c9848ca9d7806790fd1708e8

    SHA256

    64a99d8aada0fbbe5d6165dbe3bd53ee68bfcaa87378650858ee9689dc41f70f

    SHA512

    920215ddb4821e6a70bf37ee0924af51b6d1020cc7321eb11f25f1cba22c86f25ca8a1932bf5089d791551c9d4a9696532b356ec49a5978fd42b962b396e7a0b

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\oJGtlPtVnH2kbUK.exe
    Filesize

    698KB

    MD5

    8a834e239882c6dc881dac808c2e6848

    SHA1

    6fcc978decc1da2d95435a9387811525e3a9b95d

    SHA256

    dbc13b115378f5c795b9e1177f24dfdb1f303a1ba312b535ad2d6fc90e403387

    SHA512

    2ffbb2499ca0122de478a6b57c87f72441149ae286e58ae38b2767e1c608dc93e03bd2f27aace5b3afffa81f86d2e2fa277e161c5e28267467c4f70537759083

    Download Submit
  • memory/2504-139-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2504-138-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2504-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2968-132-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2968-134-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2968-133-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download