Overview

overview

10

Static

static

808bcbf367...da.exe

windows7-x64

8

808bcbf367...da.exe

windows10-2004-x64

Analysis

  • max time kernel
    153s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe

  • Size

    2.1MB

  • MD5

    b322484e73005048a50faa38667754b7

  • SHA1

    b177d083b24fda398aa1f496ee69bafa7525a3a3

  • SHA256

    808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da

  • SHA512

    a7c46b90ce90103a88677f4613afaa30c7e38b4bdbc067b38f747a1b5c550a23b7678bda977282f07aa7be3f55f76f61c0a42de0081ad4694e8cd6a06e711b24

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 55 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe
    "C:\Users\Admin\AppData\Local\Temp\808bcbf367c67385e00e9d54cdfed9d99b449b25bcbe50a2015044065370d6da.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1648
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1712
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4f4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1804
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /Shutdown
        1⤵
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\lEVOEtZDFXqK9qpFIUFyfWe3nfthkEr2caQbncpuvvqibhjo7vGZHMT.exe
          "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\lEVOEtZDFXqK9qpFIUFyfWe3nfthkEr2caQbncpuvvqibhjo7vGZHMT.exe" 1
          2⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Sets file execution options in registry
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2028

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Assistance\Client\1.0\Gn6cK8qLdrQAmjFPY3iO2Snkk.exe
        Filesize

        2.7MB

        MD5

        7bd1d833bebf149a937ada0f339ced73

        SHA1

        b13e4ab77eb9bee53b82abdc294b82cb8657a330

        SHA256

        b850de804ec5193fad54e361fe35cb0f716847851d250624858d6b82358802d0

        SHA512

        ed31a4b888bbf9cddecb503301eab303be86951a2abbdc12f83d669110149f547cc63f38daefcad4d0cdd98cff21e8bd2c28f5033b6169acdc3934551d1cfd69

        Download Submit
      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\lEVOEtZDFXqK9qpFIUFyfWe3nfthkEr2caQbncpuvvqibhjo7vGZHMT.exe
        Filesize

        3.5MB

        MD5

        4f7de97e0b6fbc53eea257954e61e8fe

        SHA1

        76708519e3242ca189acd9ce81251e87298d1512

        SHA256

        580a7371848e65b35cf22a5ce46ff7ecf485743ece400ad0ab2fe348ed85f9e0

        SHA512

        ce9e6a77967a76225c2429c9f205c33b2b007dae8f41999141eb18fbe7edc1f17259e64eda8ba34a7c15251c12000a47aef5f5e3e64fc305c48a586abc2e876e

        Download Submit
      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\lEVOEtZDFXqK9qpFIUFyfWe3nfthkEr2caQbncpuvvqibhjo7vGZHMT.exe
        Filesize

        3.5MB

        MD5

        4f7de97e0b6fbc53eea257954e61e8fe

        SHA1

        76708519e3242ca189acd9ce81251e87298d1512

        SHA256

        580a7371848e65b35cf22a5ce46ff7ecf485743ece400ad0ab2fe348ed85f9e0

        SHA512

        ce9e6a77967a76225c2429c9f205c33b2b007dae8f41999141eb18fbe7edc1f17259e64eda8ba34a7c15251c12000a47aef5f5e3e64fc305c48a586abc2e876e

        Download Submit
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Q6tIpRCIR5.exe
        Filesize

        3.0MB

        MD5

        35f7e6fba0f89326ef0be19dc74e76eb

        SHA1

        d46992ceab1aa575c992bdbb5f21ddf976364503

        SHA256

        e7336ddb92b25405466f8eaef99882bc8a598908b5c1e81276e38dfa77ce5e5e

        SHA512

        2bb6d28cff48055a2e92223688ba4a947e883dfb28ebb852010e971639d894489d0e32816f38c4bb20fed4fef6d0ac6e81d79d9beae03e884454e6ad48255694

        Download Submit
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\q7RQ67YtQ7UP4ZErjdSYJEOeixTg4Dil8jie9BrAi4NaamrbNrucs0e88KEOXbt0kk6Q.exe
        Filesize

        4.2MB

        MD5

        5bf101894c1afbdd6e39397eabe12d2a

        SHA1

        51d994658fe48cff362e4fd1c2be6d5210611c7f

        SHA256

        62d22b4529a936b3203274ffd31fca615a7f62595a46842a106f6a2e08ce8b64

        SHA512

        d4886a2a9c34596871a0ec22b73ef9215520aaf74fee3b47e5bb9c33a7be9591e6791a12c6a95cbf263bf8db61e1b71cbb0ef50743552a6a6fdfa2d59d39582a

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YB33FE3E\bwF0FLspqIxC4bSo72ykPEcjnUdnJBs6L7kY8gB6tpg9NgudPFx1DZ31l.exe
        Filesize

        3.2MB

        MD5

        98b35e03ba100a7be35feb0b0781f47d

        SHA1

        1afc477cefaab0f64821ff8e722604a75a3ceb8b

        SHA256

        63cc8b0fb016a229b56ea3fe4dc65a0cb288858b3b63139d75c0703c7ffe2afd

        SHA512

        5bcb2e0d9a084a2cf7487d871c8f6a3554611a2f8c6d2f522a2125d36328b458d7100990b9a4fad86ef371d1f47bb52ae709ee9c69abba17d16f9ccc8e302890

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\mnYh9b50fNovJQ7ddyVzbSCmJvxDFc0FJHVBBacNwetkjAHUHcnJo.exe
        Filesize

        3.0MB

        MD5

        f8b629124ff2e19ac40372f79f124777

        SHA1

        88136418ebb24d41c073a8b4adc7e60b990ef734

        SHA256

        dacfb365e31cbb45406a6f71fcd9d5731bbdc152e5efe1123775f23626e423b5

        SHA512

        3c0546939af25efd92de23f1ab94b30ad5e8831681fc07a907e6861f5381136d042472da9855fee17eca6d914ba23cb876a3bfdd9f12d233a77178a4634f466f

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\is9DodWrchlovaRmNZDmAeg5cyZ9eRIX0hWztd6wF5ThsRZg6ulCq.exe
        Filesize

        2.4MB

        MD5

        3b525644d3dff6463ab44da2677f9675

        SHA1

        9981aaefd478f551afe6bb3be1622c93a4bb2756

        SHA256

        84f47bd56160daab14b2f87942aa9c6984b2b3b33bea22d37dd55baf5be72c98

        SHA512

        2710ccc4dc4b4ffec480a29e55ea532810ab36a049770726678f5933b35458024b956ec7d3a152ac0fc93a0f2bececf2dafe7183857929a3d011969df1f4fef2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ae6vytmk.default-release\minidumps\yE64fcKNo9tXXlbdJCdCFdXNvRUw9.exe
        Filesize

        2.5MB

        MD5

        f211322b34489f5d0614c2a82efa98ec

        SHA1

        ec4740e2ca351805edc9825f82f258d842c0ab74

        SHA256

        bf5c76b6dfedc632316e683d4568cfa4bb44c5c11a7e705510227eca0d6c050e

        SHA512

        20cb8d50bd42e8f06a19bc923454c811a820ad98ae2c838182d5a6ed1f71345f78055562e020a620a92c0e1f2d6a002ea32404e0569c1caed1961c4cda361d43

        Download Submit
      • C:\Users\Default\Saved Games\xidijaEm5vPEdrg7.exe
        Filesize

        3.4MB

        MD5

        717e1d1aa01e7d2a9258f1af791b0c96

        SHA1

        02b2fcf2c54b317e1f9a4d64fb6e5bec62bd4214

        SHA256

        83dae4ea15d8df626b9ac1e67eb1d46d2a2e21d9f5cc4b9023402cfc1d8fd975

        SHA512

        7ce0239bce629ef3c4f585610e85fedd0e52791205e80ac4d4bc32daaddb4854f9e0952fa6fbc87c6b663ca83cf6f7267754804411af0bbb936d65cf9392e287

        Download Submit
      • \ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\lEVOEtZDFXqK9qpFIUFyfWe3nfthkEr2caQbncpuvvqibhjo7vGZHMT.exe
        Filesize

        3.5MB

        MD5

        4f7de97e0b6fbc53eea257954e61e8fe

        SHA1

        76708519e3242ca189acd9ce81251e87298d1512

        SHA256

        580a7371848e65b35cf22a5ce46ff7ecf485743ece400ad0ab2fe348ed85f9e0

        SHA512

        ce9e6a77967a76225c2429c9f205c33b2b007dae8f41999141eb18fbe7edc1f17259e64eda8ba34a7c15251c12000a47aef5f5e3e64fc305c48a586abc2e876e

        Download Submit
      • \ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\lEVOEtZDFXqK9qpFIUFyfWe3nfthkEr2caQbncpuvvqibhjo7vGZHMT.exe
        Filesize

        3.5MB

        MD5

        4f7de97e0b6fbc53eea257954e61e8fe

        SHA1

        76708519e3242ca189acd9ce81251e87298d1512

        SHA256

        580a7371848e65b35cf22a5ce46ff7ecf485743ece400ad0ab2fe348ed85f9e0

        SHA512

        ce9e6a77967a76225c2429c9f205c33b2b007dae8f41999141eb18fbe7edc1f17259e64eda8ba34a7c15251c12000a47aef5f5e3e64fc305c48a586abc2e876e

        Download Submit
      • memory/968-65-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/968-66-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/968-77-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/968-78-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1648-54-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1648-57-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1648-55-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1712-56-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2028-67-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2028-63-0x0000000000000000-mapping.dmp
        Download
      • memory/2028-79-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download