Overview

overview

10

Static

static

12ccf80129...91.exe

windows7-x64

12ccf80129...91.exe

windows10-2004-x64

Analysis

  • max time kernel
    60s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 08:58

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91.exe

  • Size

    1.3MB

  • MD5

    b709fe0a934ea6ff67b4381f59df3e94

  • SHA1

    fbc7b851bc8ba989ba072aad6d41a989e2942baf

  • SHA256

    12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91

  • SHA512

    e64d432a3cc9a9fdc12678e0e984c1cf50d6474dc65c9d1f7dc8bd341e37ffd8e715757c2ac9d2477e47d4db1fa949a30250eda111d7a1232b87cdc1343d9c8f

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 60 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91.exe
    "C:\Users\Admin\AppData\Local\Temp\12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1672
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:588
      • C:\Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
        "C:\Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:568
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1868
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x56c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1744
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
            "C:\Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:524

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Assistance\Tlrb1eK5HTAYOncjZpZMTXRLy.exe
          Filesize

          2.5MB

          MD5

          36795ddd186e4440a2de9e66c0942216

          SHA1

          4f858a8ca75fdad944001ca8a52eb6d6dcedd79e

          SHA256

          fa0821fb018d70b969f1859b070fa238b2490144bb7689ade0ba578c4d90661c

          SHA512

          a52bf27fd2b7cd23245eacf13fd70e401ae01fc962fd9d858ffaee3a53c396830eec73a58faf2922d53aaadd7b15a55b6a0f53e769513b5aa3c4a65fd58e3df0

          Download Submit
        • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\YpheKMcKIHyViwoiaTItb9ZscSEUfOMAOwQMafstUDf.exe
          Filesize

          1.5MB

          MD5

          85bc6bec0cd69d71e90e83bcc9b2d140

          SHA1

          a1d59fb37940922f9ed494875a6403fdcfa1fee1

          SHA256

          2f56096552031ecbba58b912d5b82b4f014949f4755b104e73f6c21079314007

          SHA512

          dfa6bf8d8967a3e1c2e170570f590ddfa8e03d03b459ef65b7ce6e6594694188c1ef9a1a612dbcbbd82f6bac153caea5856ef739f9cfc2c364cbc450458bc47a

          Download Submit
        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\7ZGtm215f8lY.exe
          Filesize

          2.4MB

          MD5

          ac8ade8ac909f2c6e2c3cb2a1f5852e3

          SHA1

          e8451126de575c057ab9ae25b71ccc6d2fe13aa9

          SHA256

          6db52c89d50a57bd8740a22e3a320d672004b364d04c6d5c8f62d5ac8588b8a5

          SHA512

          c5fa75859e906793dc656e8a854a8e052d2ef105a3c27b9a6eb454378c654f7988340d538a7fcd221c20b3a8dfd7a2db14a6e9120c47f390b44c66db591c6fb1

          Download Submit
        • C:\ProgramData\Microsoft\Windows Defender\Quarantine\GJqUAIMubMGrP7yba41p2cXfi1leQczDABcSdCKwAwhXab8ONBr.exe
          Filesize

          2.0MB

          MD5

          38ac2164367f2d7ae72a1ee7d99f2673

          SHA1

          6b99b7cfc81aaa3343d33cc44dcc823a6d856cfb

          SHA256

          d863a65408ad5edc272c6ecc48efc7d398d9c5049395f009681236a2234fdf2a

          SHA512

          2839fcb2d3fabf785ce6893865e4552303a2df2db9b6d440233bf4d68e2e023e5f950eeaa62e01ff319e1ce4da02dfcbc23ff88a159298c1df44057a92795f13

          Download Submit
        • C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\H3TzKg4K3gC.exe
          Filesize

          2.0MB

          MD5

          5c53fb589d79ebfcb190d2d200b94129

          SHA1

          5a388ff05930cbbbf9de2e9c585a1aa2951b87a0

          SHA256

          c80d69d261d47d66077abff1aaad927e31550375289eaf8363e32ddce533c4af

          SHA512

          4c0b0ff837523ee32248a5f981ba3bfa1bc2bcde5f8a00d98b8bd1a11a1ff9a215667506f554e69f6715fa0a26adb58833a7d7cdb1fe10fe699a556078592733

          Download Submit
        • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\vIHSbzfJz8YRV3SXVvEU6M6QA908wiOMTK.bat
          Filesize

          2.1MB

          MD5

          0eb1cfb762634106bb57d1c17f946c15

          SHA1

          cde5527261d4d0c1232d11f98f48fae4beb88a16

          SHA256

          0c7586434f0ce193bc9dbbfe70677b7e5c1dc96eeffc4f5efd13d5852cdfb1f2

          SHA512

          90878b87793061d9e3e75b954124bdbcc3c15bdaf14c8591ba645b3e72fab3d1d3eeea2b014a9ac35742c2cf2402662c9c401b4fe2f7f0b8ad622f570a8b793a

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\QofwtLN1p0cNHVn9mPDURTQrtufVfBstT37gWOuz83enJcvLfFj0vjm9WKZdaZ2UuAtq.exe
          Filesize

          1.7MB

          MD5

          12ac17834da1e52161e71538e9c6ae21

          SHA1

          03cfd6704589b900ea634867070d36f8eb9305b8

          SHA256

          6de71756e9b7a7909add8ed44dbf0c7a799fb9220dd4a6ff1ca346f059deedd1

          SHA512

          3b4ff812d3d2acd20fd5916e0c9ecd9fe18cd53d366e1900196f205f0fdbaa62758d80f3b81ca5973f6c6a7babab57517381bbf525be95a7d9e4cc5db0655541

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\gUhKXaQppmzU19FJ42gWI5tJg7rPEsM3YB7uutwEsb1SAf9K8EWvO2Numk.exe
          Filesize

          1.5MB

          MD5

          8af0770fc2f0a660cd8b79713f5d2034

          SHA1

          81d2d5e2e6f4509f2278d2234e7fbbdb5543e85d

          SHA256

          ac5289a8cba6106b3e317eea3726d104066d25b97a878d84d6e03ef83edd4818

          SHA512

          88fab4d94af00be6001f8dcd8013656daec7e102f79b852e7cd615bd576b3798a34552a8cdf7f6e568694c83f1e72f890872a3be9eb1fcf0f656e9e98bced9bf

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\KlZpivEQbCmJZasHlvyloLKrTego4KW8BKrVRP9hq80GI89T32wVjnsygQjkS4.exe
          Filesize

          1.6MB

          MD5

          ce13304a9a1ff78b3ebd611e3c4e1e90

          SHA1

          5d6cce41018f1f782110e04f7560b0ef667389a2

          SHA256

          4af556a84eae4e6b8c4cef9ae502f6929060abae2d26f122dbfb88c628378638

          SHA512

          dd7d905b4776d24187bfa6142b3844a90167f70d067687d888886d6806e77c336d7a389ca897d0324f9fc23eb4007271d7e10b2c1a06cbf1f946e01b81dcff19

          Download Submit
        • C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\xiGj2FfyONgtY6m0.cmd
          Filesize

          2.7MB

          MD5

          d0bb4d6a29ba7c7fe20219f2654477f1

          SHA1

          b10afb77a9dbecbd947bca7562eed447412b4bdd

          SHA256

          1b84a4e0afe74f66ed99cc2f5a2c9821720ed816af8232d21c482abfc84ab884

          SHA512

          d943a60e02bbaebd7e92ed6b6ce605101b8cb268702e5437aac167f89544bc920af123dad5b93747877a0f1f84c14707e8206eb7ee5fbe5ce7d39b22306dec36

          Download Submit
        • C:\Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
          Filesize

          1.9MB

          MD5

          ca8a1387a6d7c52efbf9c1f4d77ab046

          SHA1

          3ce045d2ae92b2c3ed4764cc224658a44aa41c2c

          SHA256

          ed88c56957d02519cde36348998d38b4b21a806e4370a7b133c3a4b6308a5001

          SHA512

          5e0c7ad1b784fa7215536ba24ff4b612165dab2ee4dbdd88269acd9861c1601ed412a3b279e53af0193c8e4756f1deba54fc8bad79e5366b4c53e546ca618963

          Download Submit
        • C:\Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
          Filesize

          1.9MB

          MD5

          ca8a1387a6d7c52efbf9c1f4d77ab046

          SHA1

          3ce045d2ae92b2c3ed4764cc224658a44aa41c2c

          SHA256

          ed88c56957d02519cde36348998d38b4b21a806e4370a7b133c3a4b6308a5001

          SHA512

          5e0c7ad1b784fa7215536ba24ff4b612165dab2ee4dbdd88269acd9861c1601ed412a3b279e53af0193c8e4756f1deba54fc8bad79e5366b4c53e546ca618963

          Download Submit
        • C:\Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
          Filesize

          1.9MB

          MD5

          ca8a1387a6d7c52efbf9c1f4d77ab046

          SHA1

          3ce045d2ae92b2c3ed4764cc224658a44aa41c2c

          SHA256

          ed88c56957d02519cde36348998d38b4b21a806e4370a7b133c3a4b6308a5001

          SHA512

          5e0c7ad1b784fa7215536ba24ff4b612165dab2ee4dbdd88269acd9861c1601ed412a3b279e53af0193c8e4756f1deba54fc8bad79e5366b4c53e546ca618963

          Download Submit
        • \Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
          Filesize

          1.9MB

          MD5

          ca8a1387a6d7c52efbf9c1f4d77ab046

          SHA1

          3ce045d2ae92b2c3ed4764cc224658a44aa41c2c

          SHA256

          ed88c56957d02519cde36348998d38b4b21a806e4370a7b133c3a4b6308a5001

          SHA512

          5e0c7ad1b784fa7215536ba24ff4b612165dab2ee4dbdd88269acd9861c1601ed412a3b279e53af0193c8e4756f1deba54fc8bad79e5366b4c53e546ca618963

          Download Submit
        • \Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
          Filesize

          1.9MB

          MD5

          ca8a1387a6d7c52efbf9c1f4d77ab046

          SHA1

          3ce045d2ae92b2c3ed4764cc224658a44aa41c2c

          SHA256

          ed88c56957d02519cde36348998d38b4b21a806e4370a7b133c3a4b6308a5001

          SHA512

          5e0c7ad1b784fa7215536ba24ff4b612165dab2ee4dbdd88269acd9861c1601ed412a3b279e53af0193c8e4756f1deba54fc8bad79e5366b4c53e546ca618963

          Download Submit
        • \Users\Default\AppData\Roaming\Microsoft\Windows\ZqCCX6vQ7ReOCVMzFknqTq6PL9K2xMbE.cmd
          Filesize

          1.9MB

          MD5

          ca8a1387a6d7c52efbf9c1f4d77ab046

          SHA1

          3ce045d2ae92b2c3ed4764cc224658a44aa41c2c

          SHA256

          ed88c56957d02519cde36348998d38b4b21a806e4370a7b133c3a4b6308a5001

          SHA512

          5e0c7ad1b784fa7215536ba24ff4b612165dab2ee4dbdd88269acd9861c1601ed412a3b279e53af0193c8e4756f1deba54fc8bad79e5366b4c53e546ca618963

          Download Submit
        • memory/524-62-0x0000000000000000-mapping.dmp
          Download
        • memory/524-69-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/524-78-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/524-82-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/568-80-0x0000000000000000-mapping.dmp
          Download
        • memory/568-86-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/568-85-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/636-77-0x0000000000E90000-0x0000000000EBD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/636-67-0x0000000000E90000-0x0000000000EBD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/636-68-0x0000000000E90000-0x0000000000EBD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/636-76-0x0000000000E90000-0x0000000000EBD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1672-56-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1672-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1868-55-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp
          Filesize

          8KB

          Download