Overview

overview

10

Static

static

dc4559e057...50.exe

windows7-x64

8

dc4559e057...50.exe

windows10-2004-x64

Analysis

  • max time kernel
    47s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:53

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe

  • Size

    790KB

  • MD5

    b82073aecf721f857155606431727831

  • SHA1

    ba007a8a1394009a231e5a2d1e25c4a4bfd81359

  • SHA256

    dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250

  • SHA512

    4f50665f2c2c2bf4ae9112019cb70bf02ab65c30145e8bc2d87fd4f76e12603cf7de265e6c80ff1ad8420649d8b4f7b7f0f8449d6705b51ab58e6744524230bd

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:692
      • C:\ProgramData\Microsoft\Network\QLx1aLcWzgZLKSC3I7R0BDc0.exe
        "C:\ProgramData\Microsoft\Network\QLx1aLcWzgZLKSC3I7R0BDc0.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4880
    • C:\Users\Admin\AppData\Local\Temp\dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe
      "C:\Users\Admin\AppData\Local\Temp\dc4559e05769ec2da81e6f74bb2202a80f17dfd1d1d9fc4b4c47f5ce4a2d2250.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4804
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39db855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4492
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\ProgramData\Microsoft\Network\QLx1aLcWzgZLKSC3I7R0BDc0.exe
        "C:\ProgramData\Microsoft\Network\QLx1aLcWzgZLKSC3I7R0BDc0.exe" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3428

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Network\QLx1aLcWzgZLKSC3I7R0BDc0.exe
      Filesize

      1.4MB

      MD5

      17eea51bae38d857103ebf9cf0f5fa08

      SHA1

      639ff6978804f4c015acf9279e1da5eff1104d2b

      SHA256

      8a19d80d6a2137c07c0329ff50964c9e7c55258629e24b3e6275c912a64a1206

      SHA512

      ca016e05d50ef2f39f3e4d28da0560e335faabc75fc15a21e6518c5bf3bbbbda0fb11716eb9937596f5162aa2274058f1a428abfa5897f8e6e419d1715fe93dc

      Download Submit
    • C:\ProgramData\Microsoft\Network\QLx1aLcWzgZLKSC3I7R0BDc0.exe
      Filesize

      1.4MB

      MD5

      17eea51bae38d857103ebf9cf0f5fa08

      SHA1

      639ff6978804f4c015acf9279e1da5eff1104d2b

      SHA256

      8a19d80d6a2137c07c0329ff50964c9e7c55258629e24b3e6275c912a64a1206

      SHA512

      ca016e05d50ef2f39f3e4d28da0560e335faabc75fc15a21e6518c5bf3bbbbda0fb11716eb9937596f5162aa2274058f1a428abfa5897f8e6e419d1715fe93dc

      Download Submit
    • C:\ProgramData\Microsoft\Network\QLx1aLcWzgZLKSC3I7R0BDc0.exe
      Filesize

      1.4MB

      MD5

      17eea51bae38d857103ebf9cf0f5fa08

      SHA1

      639ff6978804f4c015acf9279e1da5eff1104d2b

      SHA256

      8a19d80d6a2137c07c0329ff50964c9e7c55258629e24b3e6275c912a64a1206

      SHA512

      ca016e05d50ef2f39f3e4d28da0560e335faabc75fc15a21e6518c5bf3bbbbda0fb11716eb9937596f5162aa2274058f1a428abfa5897f8e6e419d1715fe93dc

      Download Submit
    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\KeyHolder\NGM6dRMsUzt6ZmUVOmnR7.exe
      Filesize

      1.3MB

      MD5

      e75b7b9cddd2b499b6dba576f17dfbfb

      SHA1

      b4eaca33e2deb5ffd9f34c251725c41f6af60d9d

      SHA256

      26d85983795d3687a9c3ed891058148ffd0a8f79f0da6a27e5b041c6f77b4a27

      SHA512

      90f9671c4fcf90604faedd6294f1b4829c934f0afae0ea3ad54cf3a12c5d822ba4df685905d2cfd4575fc8171908a08fde062f60351fcfc067e7ac7a1418e9c1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\6lJk63D8EE4O0rxJ23gPoBCd46Nibti1SQ7P7inCnF4m8z478OM8KE.exe
      Filesize

      1.1MB

      MD5

      f2cdbf341b34983f6aa9234789cc16ab

      SHA1

      2a949b0e46f829591e5c9feb459e862336269e32

      SHA256

      0c4284eb413169e470ed855d81f9c3c913d96e87806c68f8c4c30dcfd3524fb6

      SHA512

      314b93e1745d7abd820c312c95dfa5da5f0d2e47f839fdd997795cbdba99970748aeb2ed9ba5b34616846b0fb67388cef6fb3cc0a2bcb8187548ee69dd18d3b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\is\1WE1QZwhwHTUfdICtjjG8Q2cKcTlNnAX.exe
      Filesize

      1.5MB

      MD5

      8c06c62f20f6ff7038215995abcdfc52

      SHA1

      a32154d65f31912cc13977cdf1b1e25aa4bb29ca

      SHA256

      37ce7ae3eb1d83fd6066d3fb9b5ff9ffa7f61b0787765139ad1889b68f5d356b

      SHA512

      a04fa9c7677f8690a35c3b2004f7cc6eb75d6281ff740d0ba42f1c3abe397873ca52c626e43634326e7c68162ff09894072b836d577d4cd6a3a7f923d1f1d7c2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls.2\bjNhdGqNsbo9nyngS7DpodQVQPqoIOHaLNqGbQmPNDecPxT00go.exe
      Filesize

      2.2MB

      MD5

      e9463a21235c4f22a3a206747fd79869

      SHA1

      7f9d8098de5e99f3721db0efc284e090046e83ce

      SHA256

      a32868168ccf571f7275f452fb787a6dae9c5e692741312a1fb03058de09686f

      SHA512

      25341ed6cb975e419e84f98b9baf45967e4fa6a963cd01f5e0f34524a448bfadd3a68cd16009f2a764f0c7d1ce08b3f2be7ae0c54bedbdd9625e877e014ef1d9

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\1F4PCeFF65B.exe
      Filesize

      1.3MB

      MD5

      30ac0f6ffa3290e5c6e548c624f3f5c6

      SHA1

      ecd85a51b5c1b0504310d6909b8aeb179df66118

      SHA256

      aca49814085095c56d2c23d5589e3a9e78eb69d0562fb5550eb007cd86dfb753

      SHA512

      8bdb90608f291e46e879e053a37159c23dcdfeaf7e0b422258a612c56b4ba1a43468ca21f2eded36b64ab98cabc8b949f94181d5d50e7003e0098ad9fc7abd59

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\hr-HR\T5aQzQw6yCtxEEkBptpvPi.exe
      Filesize

      1.4MB

      MD5

      83f10a62c9f0696cdc6bceb26b00aff6

      SHA1

      c0d6ccbfb0331ee04d18a67e3d171e838a99040b

      SHA256

      e9d267202d1638a7f33b450eaaf2327d72c43746e817ff672df634f1a6a2e838

      SHA512

      69459b470cc2dc0bd3a3a23a6e311aca099e191b054ae663f04a1c2c79c7560751d899fbfbfc64ef5cf34c47e8a18b571a653970c6b46478bd0c39fd1075d66d

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\AC\INetHistory\VO9Mz47G7AodZlf6dHwCM2tnXOhTYK58OLuEYK.bat
      Filesize

      2.1MB

      MD5

      b6854dc79a80b3699bef985fee0d17e3

      SHA1

      3bc1709babd599b6e6abc19018d49492fb2c78d9

      SHA256

      d5050639ff38e04522676d20d144f559d450cfcccd2c210795b23446c95b2516

      SHA512

      ba9419d5a867251e61026340143af9712318ee9fca8e270da155af03930e014405f2c6fb4ce42d24f43ae925335a54b919eea5e1afd4903301bbead0c0086d11

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\INetCookies\kBQeNsCxHpnAjSAEJwIhu.exe
      Filesize

      1.5MB

      MD5

      19a28f097f7419775f5d809d2e386457

      SHA1

      890b4637d56ae5b36b7b4f67cf9c202a82c81ba3

      SHA256

      9d7ffbb1e0b865a16dcbd573e1c20335d2225f0dc1025fa311dbff24a86ae81a

      SHA512

      841310e6a157abdcfb2c35e5d6557f23d8221aa67d8e40a5785156682580f71e64a24d64c600eae42757b53e0ef8269176a26471c3fde1f5496daafe856dae66

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\uTQcZWHee1DUlZFqytwupSBcCA4dEawqe3Sn4oNFcXVyuK6.exe
      Filesize

      1.2MB

      MD5

      b56c6715794483aa2f0129128a0ffa1b

      SHA1

      66e8dcb9cfc396cac7820cd68478e22543910348

      SHA256

      20623d5d245ea4f7753a80710c4910e860b5295f23051861d7d7afd75fc65593

      SHA512

      9ac765a34719d501c5b0241804be2ad90646f422c23bbfe6a68d5f00f2401da26a0d03e35c6dabdaeed9a45c8e2daed6fb30f4f1ba877e1a7837d0deb4b1a733

      Download Submit
    • C:\Users\Public\AccountPictures\MSa0lMcwjAuYgt8HQZkEyhBznytjzJhqY7NarMwrpQs6NY.exe
      Filesize

      882KB

      MD5

      92b921107d0d9c3139ccc9f6366d119f

      SHA1

      52c4d0d3b3c61b9a9aa1b1d45877b43ec1da74ff

      SHA256

      a017f37eb3b0f6022519b422a1d64459c2a87d7708b7ab01e064454fee7aa9b8

      SHA512

      3f09db2870d58c12c9573947a8e91a39c081b0d93c686ad99bdceeb940fa21388d02450d523ce584ff14438d79f57bd6b5f34de0a8eea9d171644ab1e7db409d

      Download Submit
    • memory/3428-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3428-137-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3428-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3428-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4804-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4804-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4880-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4880-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download