Overview

overview

10

Static

static

12ccf80129...91.exe

windows7-x64

12ccf80129...91.exe

windows10-2004-x64

Analysis

  • max time kernel
    44s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 08:58

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91.exe

  • Size

    1.3MB

  • MD5

    b709fe0a934ea6ff67b4381f59df3e94

  • SHA1

    fbc7b851bc8ba989ba072aad6d41a989e2942baf

  • SHA256

    12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91

  • SHA512

    e64d432a3cc9a9fdc12678e0e984c1cf50d6474dc65c9d1f7dc8bd341e37ffd8e715757c2ac9d2477e47d4db1fa949a30250eda111d7a1232b87cdc1343d9c8f

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91.exe
    "C:\Users\Admin\AppData\Local\Temp\12ccf80129469d1b6acc8feed64f989d98dc74725b9e562a5be7cc0db27c6a91.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4792
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3981055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2320
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\aCh9nlwqQ97W6deqCBPjuL6GIC1BoBOFWRA.exe
      "C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\aCh9nlwqQ97W6deqCBPjuL6GIC1BoBOFWRA.exe" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Drops startup file
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
  • C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\aCh9nlwqQ97W6deqCBPjuL6GIC1BoBOFWRA.exe
    "C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\aCh9nlwqQ97W6deqCBPjuL6GIC1BoBOFWRA.exe" 2
    1⤵
      PID:2656

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\aCh9nlwqQ97W6deqCBPjuL6GIC1BoBOFWRA.exe
      Filesize

      2.0MB

      MD5

      6b6ccee5a95498e66502141bbe0e30a2

      SHA1

      68675c1c407f3499f5b2cd7627286c8f71c7ac69

      SHA256

      8036ea5dd882b34de79fde93169c6f597c4c7a2fa71913a6b61ad1a9784ee808

      SHA512

      949c05975435f73d245203214483262a92017150525b22ab5f62ac2969dc97d6ea6267371e77e61295b87d09c6fe7db43d0450a515ee4b4e74328b86b6b8a679

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\aCh9nlwqQ97W6deqCBPjuL6GIC1BoBOFWRA.exe
      Filesize

      2.0MB

      MD5

      6b6ccee5a95498e66502141bbe0e30a2

      SHA1

      68675c1c407f3499f5b2cd7627286c8f71c7ac69

      SHA256

      8036ea5dd882b34de79fde93169c6f597c4c7a2fa71913a6b61ad1a9784ee808

      SHA512

      949c05975435f73d245203214483262a92017150525b22ab5f62ac2969dc97d6ea6267371e77e61295b87d09c6fe7db43d0450a515ee4b4e74328b86b6b8a679

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\aCh9nlwqQ97W6deqCBPjuL6GIC1BoBOFWRA.exe
      Filesize

      2.0MB

      MD5

      6b6ccee5a95498e66502141bbe0e30a2

      SHA1

      68675c1c407f3499f5b2cd7627286c8f71c7ac69

      SHA256

      8036ea5dd882b34de79fde93169c6f597c4c7a2fa71913a6b61ad1a9784ee808

      SHA512

      949c05975435f73d245203214483262a92017150525b22ab5f62ac2969dc97d6ea6267371e77e61295b87d09c6fe7db43d0450a515ee4b4e74328b86b6b8a679

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\RoamingState\1s0Eh6XLq3jZOabkKZ95sEuJ2Y7MUMCo4CZuDvgz2ajIQoFpeRia8X1iQC.exe
      Filesize

      2.0MB

      MD5

      aeaa88bba6b16eac0553b38da37194a1

      SHA1

      00a5985ad0a45f2623a5b232b4c80441c0ae135c

      SHA256

      5cd41343c4fe1d535999c56780fda288853d352c68fc3c76a7cc9d70b56c495c

      SHA512

      75e1d6a7fb917bcbb4b9b988318b0988f7d3517c20c7f00c139816ef720afb9036d198614b794e1441d3a9c139f8fee9e4944a9151ca5849477e0286e7e69d9f

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\LocalCache\DN9yLAkcjcWgt7bb8SuthlReQW1sFIsV17UmygV9usdrxytDvnu3U5ymdfcM6p.exe
      Filesize

      2.2MB

      MD5

      98f2a248587431cb3b591b6e7df5cd9b

      SHA1

      c28dc6d2932d2187735b9de590ec686c8b769650

      SHA256

      068e79bc2d61a74aab1a19b36171ac29176792e419eb7a137ad048d3d9090cb1

      SHA512

      e76bfacac7151ce88c184842b8f2181315048fa4870d77e8f1993319bd123e46e58c19472f9074b8dd4dc8e575c83983a1ba9f83208ea97d1b176c054ff2816e

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\KjKZZj6NFSSjkujrfyzjRDIjlGFDvQBXTdxZ3IP8p.exe
      Filesize

      2.0MB

      MD5

      0b9c90db3f26eca6c384d56e1a792515

      SHA1

      46dabd112d261d2b6b772858a2b5dd22c0df4603

      SHA256

      abc8ffe51b62894a706bc8c0820dedd37b8c412a8230498f7a0323ccaef7a18c

      SHA512

      fd2a7fad7cdbe51b7964f4bcfc686a7b54f41b8233fda72928767d8651dad10ae8df6878c4e993db32d9f17dbae5ce00102a631d4d9dd0c1ee945579a6341704

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\AC\INetCookies\PtGwIGSScIo.exe
      Filesize

      2.2MB

      MD5

      bf68affff301ab68745997c25213f882

      SHA1

      0b4a266c879d2ffdc411a8815d64a26d9bf987ad

      SHA256

      d26c4c428d57dd944ff88bb622df413f847d0326dea73dbaa66992abf72213ba

      SHA512

      07f44fb7a6d2e38449d158c83e75a58d8bd5f630512059c02b2f2c54901642537a5667d0b2767055a0b0dd12b4fd270cb6ec847715f9d06190ee886e60d98d26

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\8HbZDAouZLWhP1aDNlI9UyYdfeLtAvW4lGlX9WGakBzsHBaV0RyR9z.exe
      Filesize

      1.3MB

      MD5

      9955c48221340ecdc46dd042851ada96

      SHA1

      38f9b4b3f95d22624f793ad728475f8a989cf1a8

      SHA256

      6b99fbd677032ece9c5a9672db17a9a80ff77de4f3deb4b56dc197ceff8f6f3b

      SHA512

      52a9906d228a016948a354907168cb9a62c1c8a231945de1c0330b5700186dff655b9009d26fdead74363ddf78d710f37bb4aec17483531217539fbcd13897a8

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\LocalCache\BiAF1KcUHgAvk0QnT766te59rnQE370ZDJd6twwyB6Cac03NHwppHYUX04FCVjKOEyVgKQ.exe
      Filesize

      1.9MB

      MD5

      0361a2474ac150a75f8b5d8ff179f309

      SHA1

      212a107da2db6096914a470b3618d751bb3d4442

      SHA256

      efd0bc9304e9b390a0d48d7e948b5deaa93bb77fc427a32eb2a75d6a0d0f6f15

      SHA512

      451410aaf43ec93aee48569e01a43d81e7e77fa62000813114ea2968b0d0f7f0cc2d68c7deea47dc95a57791fae8d59a372f133ad22b2949f08e2337a6832dd2

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\tyqMsCgvW4Dj.exe
      Filesize

      2.1MB

      MD5

      8bb51d5447d260ac49e95040e2f51025

      SHA1

      c66d19c44994929456e6cf23ab9e40a7db9cbaa4

      SHA256

      8f56742904b9092dc969a15ac5d86aec3428d11bc3bad98a793bc54bbe13f854

      SHA512

      bf0bbada838410409a8c5a3ae2a2ae7d822234138e5fe4ebe99798ab50b821b89eb90512e4b372dc841578840cddb91c8aab84c8227a4449aedc929b0abe4e93

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\0RNExa2QjVd4DM.exe
      Filesize

      1.7MB

      MD5

      871c33732aebfbb30e3c3b2f61c42e42

      SHA1

      5fd1f5baa350a1689058ab5203d7473163e5e971

      SHA256

      ed6d7fa937344ab3d07abcccbfeafd992c1c4c33d98b0b76486533416c091a7e

      SHA512

      2e3b1386dda95845eaba38ffedcfac86071db5c78c58679547ddbcc14485010f10fd0440236b4a8f331f629dcf6c839080ec5e46646fd1a97e90a84127b39bfd

      Download Submit
    • C:\Users\Admin\Pictures\7scMrxjOblZTs7eX7axYHVFunqhZUsBacRzCvSwyKQ1XPyF9TA5OMhNyYGXboMM72lhVsg.cmd
      Filesize

      3.8MB

      MD5

      e8ad7dae08f8d8f3988c05371bb37ff5

      SHA1

      5850b8474d7ac9e1ca8ce06ff70b14b458fa23ea

      SHA256

      8cea7b864370fd5a8ed10217ed8b117108405d86aad39f0249e7618296d734f4

      SHA512

      2c9da7dfc9f0a8e01e357291c08e3bd7a8950d5a09e35964dff7c90433a4da44106030f3fb220f40f29bc673aec9c520a7eb5cfcdeaa5672890ed6313b17c20c

      Download Submit
    • C:\Users\Default\Downloads\4oShElEQTF0Q.exe
      Filesize

      1.9MB

      MD5

      e042d1a36ec07d3dda7f09708743ed1a

      SHA1

      9b89195d047f23e0c4e2581b356f155bc493292e

      SHA256

      89b5648f6cfbc4460af5c939b378a794e3ef61676e57baad958bf965365a2e78

      SHA512

      e8b822bc7afe4504811adb249cc8ed62f269ceddd80783db80df410fb1ed3b95ee432bf6d7371610cbadad8c2c0cc9297e2e7f5733578cc0e72437bfadbb788a

      Download Submit
    • memory/2656-148-0x0000000000000000-mapping.dmp
      Download
    • memory/2656-151-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2656-154-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4208-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4208-147-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4208-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4208-138-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4792-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4792-134-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4792-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download