Overview

overview

8

Static

static

909c914fde...8a.exe

windows7-x64

8

909c914fde...8a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    204s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a.exe

  • Size

    415KB

  • MD5

    dcc9555edcdcecf3a3cd60aba7b0875e

  • SHA1

    187fa9303a16fd85d6349dbd938136e8afaa59da

  • SHA256

    909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a

  • SHA512

    1d62dcb14c8a52237e5cf209566cee69a7f8ad079d4e6698d019473ee27ac973dc7eb2e405f532fe00cedd31fc2aa3b9e63417521c0a72b4881e25444ec9088f

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 56 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a.exe
    "C:\Users\Admin\AppData\Local\Temp\909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1420
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:844
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x540
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:916
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /Shutdown
        1⤵
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\0oJde6gox9bxm.bat
          "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\0oJde6gox9bxm.bat" 1
          2⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Sets file execution options in registry
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1052

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\ODOC9coUBNFlkjp8XR4qIIpCQq.exe
        Filesize

        552KB

        MD5

        cc8497e3627d5f700aea2acaa98e7c1e

        SHA1

        120a53e6c4fec92d07b3f2e8d9033d97c66574fa

        SHA256

        789e15ef46ff7451b1b6a2ff6e02ea8b619fa03410cb096b102ae923aff86aeb

        SHA512

        25284cd096e0b866ad52f68bd3a43b86aa703f13e8cffefd4e6b239dd5897a3d05bfe0268ad95d3b484af8a972d9f25804811ee168d38df62aa0ce19089bf33e

        Download Submit
      • C:\ProgramData\Microsoft\Windows\AIT\6It7iBHwxU.exe
        Filesize

        421KB

        MD5

        46ce6d197b5d2e7b0a850a9e2b5df4da

        SHA1

        dc4a0f159222e978d99a4e9303cfba3c8686234e

        SHA256

        87db07dfb8e44abdb0f50ba53361405e15f7f7c6485c4acd37ea983d2e50ad50

        SHA512

        5ed1184cca1985e37927158a5db3b2795f41693077030a58a32cd8abd9c22d18656d9df7eba7e4d3161bbba361ce3fe21ab21e9374a885398352dff44243e270

        Download Submit
      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\KyurQdqpFvtC0RchvbAHyNKfN6ogYthvbf6b6VYgmitolrLGIvyY.exe
        Filesize

        665KB

        MD5

        c10521422ec61046a89ce1998fe26848

        SHA1

        8a405946837b0a63cde91400ad7e1a54fac140f1

        SHA256

        30f634a6cecd4ed6c250ef69056455c4deb94e15383b1bc61bdde2efa10d836e

        SHA512

        8e11acfb902e651d483c35e2f16785feff49311610f7c83ac9a37e8cd71627b86665fb9ef342b7a13350d663a288e6cbb7ea063081288f2a3ad3081aaec1face

        Download Submit
      • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\OooIi55qKPAHby46ytDBEDFHpCwh8VT3.exe
        Filesize

        632KB

        MD5

        001e40bddc6e0628f4bfa6840bc002df

        SHA1

        b4cd33e21697fb02bf6765f3f63a0dfceb5e2b84

        SHA256

        8c5ff46bb51ef9068488e3c7be7fee00a18d0138a59cbfd1553587365b00e504

        SHA512

        76830ab141bb607844d7a8a6a010cfbaf102c4745ac7c02ee0f220ab1e06703796d250036398afd55030a423e44cb5597908518aed81c4609ae3d85e9181ccbc

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\p4bqXukVLX2Uj0ldR9uxfY21VL9Ks.exe
        Filesize

        539KB

        MD5

        2025e08b152c90a85f4abd783342e2ab

        SHA1

        6eeb18a1dccde79cef9aa828c84dbe1d72340d34

        SHA256

        a5a294fb4eba4901615fab01838819de0e0b553ff045c9f6f4833173eef350b5

        SHA512

        bc2fb03fb95bf3f90058258813b05886f4dc920e342083a447dcc19494068191a3711b5708fcaffced8fce8b9029610a708dc0a40893f56d338e357c0e052461

        Download Submit
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir\apFDNOLii7Nt.exe
        Filesize

        793KB

        MD5

        89f1c71acfae979fb9d0a24514043df2

        SHA1

        967f313ba73e8dccdee737377e71c4373bba6a99

        SHA256

        8fd75d0df5e0533a361d82384313a4ca087ecc784ce21e97c88234a9f61e2d5e

        SHA512

        47eaf8eb77ffc33dbb289e7d7ebfdb80f2704236c147b27dfb2a55f823d9da7a493cfe5ecb8145d8db975af0dcb44aec3f2ab67c32108a41e00ca09d11961464

        Download Submit
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\0kjEGjFBgCc9UVnZy6bf71j6PXsPiUbDZDBr6.exe
        Filesize

        720KB

        MD5

        041c2d174b0408d3daef40652f9788c3

        SHA1

        0defc39b2f9d92bb29d6e3e8e14a6ee9bd2f90c5

        SHA256

        8d685231c19cb72088521a2a464169f0c43aebdf70a641063859445b452518e7

        SHA512

        b312cde1339b6eb6125ca8b4a2b195a9100288c8e8b6b52e36fc31d697e29b64455f9d1737717f27bd5f2e67a93020f1f87b6d4be548aeb710624e31cd894f81

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\f9EbNOXEoO2hF.exe
        Filesize

        692KB

        MD5

        0a79f0e0b94ee863fd61e9d1792cf184

        SHA1

        cea512f5287bbf657d10dd3caf02b7e3c4bcb64f

        SHA256

        3353bc682900e0f7c941d942d0ba447f9f223b0930e57d001cbf6c92dbfa67c6

        SHA512

        e61ee2c125aa7bd5b638e63a94d85648c9e0cc491d02f87a0c6469912656ceda8681775db725ddda3db6af934024d1bd3f38fbcb72b5fe1039906aede7856af3

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\0oJde6gox9bxm.bat
        Filesize

        591KB

        MD5

        3158047b4719257de53d7b75fa6b03ee

        SHA1

        fc9eb12ce9323d282b1c88a8070d3e80a4dbad11

        SHA256

        5fc3fc684893651c6f52b7427bc727141317eb7ed31af86bbd99e2c6a6c75af1

        SHA512

        1bfeaa3767d2668307cd33178d009b0c212b002ccfb7c38b6e1fc28b54716d82bc12a5c40edad5fd09642f9500687c8a8040a74869297a575f4b6c2c276d2442

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\0oJde6gox9bxm.bat
        Filesize

        591KB

        MD5

        3158047b4719257de53d7b75fa6b03ee

        SHA1

        fc9eb12ce9323d282b1c88a8070d3e80a4dbad11

        SHA256

        5fc3fc684893651c6f52b7427bc727141317eb7ed31af86bbd99e2c6a6c75af1

        SHA512

        1bfeaa3767d2668307cd33178d009b0c212b002ccfb7c38b6e1fc28b54716d82bc12a5c40edad5fd09642f9500687c8a8040a74869297a575f4b6c2c276d2442

        Download Submit
      • \Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\0oJde6gox9bxm.bat
        Filesize

        591KB

        MD5

        3158047b4719257de53d7b75fa6b03ee

        SHA1

        fc9eb12ce9323d282b1c88a8070d3e80a4dbad11

        SHA256

        5fc3fc684893651c6f52b7427bc727141317eb7ed31af86bbd99e2c6a6c75af1

        SHA512

        1bfeaa3767d2668307cd33178d009b0c212b002ccfb7c38b6e1fc28b54716d82bc12a5c40edad5fd09642f9500687c8a8040a74869297a575f4b6c2c276d2442

        Download Submit
      • \Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\0oJde6gox9bxm.bat
        Filesize

        591KB

        MD5

        3158047b4719257de53d7b75fa6b03ee

        SHA1

        fc9eb12ce9323d282b1c88a8070d3e80a4dbad11

        SHA256

        5fc3fc684893651c6f52b7427bc727141317eb7ed31af86bbd99e2c6a6c75af1

        SHA512

        1bfeaa3767d2668307cd33178d009b0c212b002ccfb7c38b6e1fc28b54716d82bc12a5c40edad5fd09642f9500687c8a8040a74869297a575f4b6c2c276d2442

        Download Submit
      • memory/844-55-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1052-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1052-70-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1052-78-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1420-54-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1420-56-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1572-68-0x0000000000F30000-0x0000000000F5D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1572-69-0x0000000000F30000-0x0000000000F5D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1572-76-0x0000000000F30000-0x0000000000F5D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1572-77-0x0000000000F30000-0x0000000000F5D000-memory.dmp
        Filesize

        180KB

        Download