Overview

overview

10

Static

static

d7612df93b...a2.exe

windows7-x64

8

d7612df93b...a2.exe

windows10-2004-x64

Analysis

  • max time kernel
    203s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7612df93b873f6944f32afb524ebf71bb5cc03edbee35cb3ea2fa5baec58aa2.exe

  • Size

    682KB

  • MD5

    185f57273dd9adc50aafe536423e391a

  • SHA1

    53d6c4cb3431685cad6013415e0efd8be9570c19

  • SHA256

    d7612df93b873f6944f32afb524ebf71bb5cc03edbee35cb3ea2fa5baec58aa2

  • SHA512

    181a7d9b237119298c44c31739c609af6569cd91b2cb79d90a52fa68b4f1cac4a9c473d79b179f7e2691748a5ff5722600d2f2b1ee3d743895c471521f7b7c25

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 55 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7612df93b873f6944f32afb524ebf71bb5cc03edbee35cb3ea2fa5baec58aa2.exe
    "C:\Users\Admin\AppData\Local\Temp\d7612df93b873f6944f32afb524ebf71bb5cc03edbee35cb3ea2fa5baec58aa2.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1140
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1520
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x56c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:676
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /Shutdown
        1⤵
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\crashes\events\rx5vjYLPDeQv8h2O1tzpSaZampHs49wHu8IyfWL2mtiv.bat
          "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\crashes\events\rx5vjYLPDeQv8h2O1tzpSaZampHs49wHu8IyfWL2mtiv.bat" 1
          2⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Sets file execution options in registry
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2028

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\lUXYyQ9yScezH8c0Ho8NlKkJRkcg5ynleKc2S56RT6QJ6l5sKUPNNpJ.exe
        Filesize

        1.1MB

        MD5

        be3ce1882e2ad5383436b40b7dfeec51

        SHA1

        79b5c623f7220d244b3327cb73a3b466679a8f45

        SHA256

        c013ba9e83b40ea345a6880c69a1c4400af45154672165f5866327accf8dce48

        SHA512

        bce90022beb2f1bb9666c0ee2cb06677d2ca78195b7399206ad2aa14e6776897e30e52d7556ea28d1b1b2d2a230f53b9f48ad9d895cc2f9c223adc6c57847e83

        Download Submit
      • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\hTBaFIyRx1V95OmKcMotETbw7UUujLaCvmMekbUHFiqd6WD1PNNGcffY.exe
        Filesize

        703KB

        MD5

        1dcbf8d1889fb2d8d78aeb433f823a44

        SHA1

        8f44a605ecc48759fb9017a7f43c2a80eab2ed4a

        SHA256

        077f1bb01678794f099e7bf1b66d6251d2f9e78a2037709c5b27369f015e96ae

        SHA512

        dbc7817d45bf6ee80fc96be5772a078a6231882aadc56101b8d0339231ea3d265b05acac3cc2b472f14c85dc5f1068fa477842302c397883b3d2317ff98582e9

        Download Submit
      • C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\dQYJlRFK68az6pBweePMtWslIXL03DBG31.exe
        Filesize

        995KB

        MD5

        acdb866affdce280c6c0cf577a448ff6

        SHA1

        2db874c4e5468d3fe82d9f2afb47c2c23827f734

        SHA256

        04cbffcdbce4c6ef311677ea99320cf2396fbd460c6cb42c9ac631c4c8c6a130

        SHA512

        e620798299dcc002a7da38b7a3fbd605b2fb799541894957ff7f9001a3258bf2534f23de16cec5815790f867a6f5d5dcb528e9a42daa05655f07c5f964b97d15

        Download Submit
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\OQ096TZKVkeViW8oQFWEAIUojX.exe
        Filesize

        741KB

        MD5

        e76fc46be0ae458d120cc219deb3857a

        SHA1

        c08ec6aadbd29cc52c0d9b962dd17647cd7e7098

        SHA256

        7e6ec1ac2674fd55f829b8475533fbd45ee7d1928961060ebb1e0db9e6b390cd

        SHA512

        18abd24fa6a41114b3fbd96ddc71e4f8978071af50ccb8966d235c36c77948eb41ab5014834ebef81aa3e74f3f6597d2a89f546c7d18062e0683518c8619d957

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\KvpilkimOMq55.exe
        Filesize

        781KB

        MD5

        99b2356217f576edcf76d80b47b846d5

        SHA1

        fe97815120bfbf5ff6307e9a81bd5605b82b056d

        SHA256

        de748436c5c4997b7c2318907605f267a66ebf526488c8f8d48cd7a3e024fbaa

        SHA512

        a9199597de01046cb35034ae9ee75270df1fe31bdef7023864a60129935c691514a331a6c8f4f3b7acef6aff19347c8f85f8d59a50502a2024f29a4c5d53b039

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\612334118\iLMeXsl9oKtoIsQc3AMev1.exe
        Filesize

        841KB

        MD5

        cbcb15d2b878e9e3dde043b87a700c22

        SHA1

        e27c87fc578ecef8a014551c8c19089a2c647876

        SHA256

        65e1701c702d7103e167c5316442811f8b31b82e91a06ab717f562786db28acc

        SHA512

        8c6721847832964f56b6cf133a9e68e4b8d6156041d198761e67c8e9bbfffa4d050d5d4eb1390f0a8b6bbe0fff999742694054850c3b6343c896eaeaa6813b65

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Identities\{74A2ADB8-758C-4A03-AB80-FD816571C991}\0LcDK7mWPzJeUydql0TMAbb5cN5OVW1i3357u1jwmBd9Z.exe
        Filesize

        861KB

        MD5

        12e4f0505b83f980df22910aa360ad07

        SHA1

        08448468bc1ed1ca0806f905f37096922e94d2bf

        SHA256

        e8a5c32fb5cc41d7fb01717b8add96449b37e1d928b57142b7b79fec6a0ca43b

        SHA512

        9d2e02d0942db5b1737d04450e6911aefaea9855fcff948026b6f0e2d0ce3b1efce6c3275284e3de6cf45aa8d90c72d1a1422466391ff566b6237df7ed9d7471

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\crashes\events\rx5vjYLPDeQv8h2O1tzpSaZampHs49wHu8IyfWL2mtiv.bat
        Filesize

        746KB

        MD5

        51ceb19a53961383886211a3541b6e0e

        SHA1

        50c5c40bf28bec237378c811aca8d61b15c07ff3

        SHA256

        0d65dee47fcc52b9d78d5790d518c727f535d678046891dba80f5a6dfbe50f51

        SHA512

        9c94108e8e08d31c4a3a53e1c609e00b8d9ec517d557f9a81ac384ec7b75d0ed90bedc5f230a44f8f2e41c07b52291d631b80acb0f2807c177e4356e8672b662

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\crashes\events\rx5vjYLPDeQv8h2O1tzpSaZampHs49wHu8IyfWL2mtiv.bat
        Filesize

        746KB

        MD5

        51ceb19a53961383886211a3541b6e0e

        SHA1

        50c5c40bf28bec237378c811aca8d61b15c07ff3

        SHA256

        0d65dee47fcc52b9d78d5790d518c727f535d678046891dba80f5a6dfbe50f51

        SHA512

        9c94108e8e08d31c4a3a53e1c609e00b8d9ec517d557f9a81ac384ec7b75d0ed90bedc5f230a44f8f2e41c07b52291d631b80acb0f2807c177e4356e8672b662

        Download Submit
      • C:\Users\Public\Pictures\Sample Pictures\LrQr9IYcDSktVVkyNHfg4QZEhuxD7M3DXuycPRXkV2jpVLZJeMf6pFyudgbjDulF4y4UNSh.exe
        Filesize

        748KB

        MD5

        6405aca1d6197da0c1017979fde8d64f

        SHA1

        4a0c095ab633d3293d2b5bbf78dbf7d647b64436

        SHA256

        169ccafd76f298b16c50d1cd2f3463cbaa881189295e87a608c0edd04ef5854e

        SHA512

        693b4e598d3826f5879c9e4c61dba3d4eb2349e6fe43a9328cb27bf0d4656597dec22a6e2b9d881cfc04f464974d5dac39348c85cad43cb334f5108922a8559b

        Download Submit
      • \Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\crashes\events\rx5vjYLPDeQv8h2O1tzpSaZampHs49wHu8IyfWL2mtiv.bat
        Filesize

        746KB

        MD5

        51ceb19a53961383886211a3541b6e0e

        SHA1

        50c5c40bf28bec237378c811aca8d61b15c07ff3

        SHA256

        0d65dee47fcc52b9d78d5790d518c727f535d678046891dba80f5a6dfbe50f51

        SHA512

        9c94108e8e08d31c4a3a53e1c609e00b8d9ec517d557f9a81ac384ec7b75d0ed90bedc5f230a44f8f2e41c07b52291d631b80acb0f2807c177e4356e8672b662

        Download Submit
      • \Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\crashes\events\rx5vjYLPDeQv8h2O1tzpSaZampHs49wHu8IyfWL2mtiv.bat
        Filesize

        746KB

        MD5

        51ceb19a53961383886211a3541b6e0e

        SHA1

        50c5c40bf28bec237378c811aca8d61b15c07ff3

        SHA256

        0d65dee47fcc52b9d78d5790d518c727f535d678046891dba80f5a6dfbe50f51

        SHA512

        9c94108e8e08d31c4a3a53e1c609e00b8d9ec517d557f9a81ac384ec7b75d0ed90bedc5f230a44f8f2e41c07b52291d631b80acb0f2807c177e4356e8672b662

        Download Submit
      • memory/1140-54-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1140-56-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1332-65-0x00000000011B0000-0x00000000011DD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1332-67-0x00000000011B0000-0x00000000011DD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1332-68-0x00000000011B0000-0x00000000011DD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1332-64-0x00000000011B0000-0x00000000011DD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1520-55-0x000007FEFC201000-0x000007FEFC203000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2028-66-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2028-62-0x0000000000000000-mapping.dmp
        Download