Overview

overview

8

Static

static

909c914fde...8a.exe

windows7-x64

8

909c914fde...8a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a.exe

  • Size

    415KB

  • MD5

    dcc9555edcdcecf3a3cd60aba7b0875e

  • SHA1

    187fa9303a16fd85d6349dbd938136e8afaa59da

  • SHA256

    909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a

  • SHA512

    1d62dcb14c8a52237e5cf209566cee69a7f8ad079d4e6698d019473ee27ac973dc7eb2e405f532fe00cedd31fc2aa3b9e63417521c0a72b4881e25444ec9088f

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a.exe
    "C:\Users\Admin\AppData\Local\Temp\909c914fde5c6b6467d40735d4b6a87930ab5dd23e858a7b2f5c3a69b84a6e8a.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3460
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39cb855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2488
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EMEEBW7cwQODLDDk1BeQezdD.bat
      "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EMEEBW7cwQODLDDk1BeQezdD.bat" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN\O2gFxbuet8WsafK2naE54xd31kkh5Qa93sRJTczFDfD1.exe
    Filesize

    795KB

    MD5

    82d40dcefa72af315be3c9fbd590766d

    SHA1

    266b7db115ea36d1ad035458d1181d4a5d5713e2

    SHA256

    7bf319ea908b98399f7dbbc4fad8dc4d24b46299401a3b78e79a472e99b28927

    SHA512

    f0b8c90a21ad8a971d54ed5508f3ffb61ea2e8cd57e6f9e6ecc03708511ce6c22f728100050cf98ad9da520d913dc5a07d1ab549f6af3e1aaf8a47c8d38a7c23

    Download Submit
  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\v7bNXle8FqwEIHYDP7R5zkI76vIDUMWphQ7MbiZkO08LszoGKWs4pr1IEEuir4t.exe
    Filesize

    712KB

    MD5

    0d598529e040dd3197b3ebf1167b612d

    SHA1

    443f383c67fa7a851d402a1aae4587eee6e4d572

    SHA256

    c7dec7ec9f351e2f23ae6a40af9604af620f9079f19099469b3176fa4403bb09

    SHA512

    63e3df1f488492d65f9001061d8b6ea5bb653b12c2b930ab1ddcf1e5755d52f1cb746a9d81769d589a45ae5d899c7d5ef0ff4f18e7aed3a9058946719da00d07

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EMEEBW7cwQODLDDk1BeQezdD.bat
    Filesize

    753KB

    MD5

    30080edaac46d571f563551cbf434969

    SHA1

    d17282225cdfa54d26421f1c0f5a1016d8f07412

    SHA256

    44e7d6681d2ddeb2b7ca99928d041c4923e0fe6d66a8f39ca03b1b19a1f901e2

    SHA512

    987de3485777fe43152790731f15039fe46aa0e6cb530734c154b09cfab5ccf9a57120b9bf16f0c9bc648b9dd2e2b682b73d5c0eb5279863b454bb44e671ee60

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EMEEBW7cwQODLDDk1BeQezdD.bat
    Filesize

    753KB

    MD5

    30080edaac46d571f563551cbf434969

    SHA1

    d17282225cdfa54d26421f1c0f5a1016d8f07412

    SHA256

    44e7d6681d2ddeb2b7ca99928d041c4923e0fe6d66a8f39ca03b1b19a1f901e2

    SHA512

    987de3485777fe43152790731f15039fe46aa0e6cb530734c154b09cfab5ccf9a57120b9bf16f0c9bc648b9dd2e2b682b73d5c0eb5279863b454bb44e671ee60

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\zh-TW\3eELysmbwXaH8jRsKaw3yd2EFY5yLFP7HAGYH3AkfShKeDhWmx8RpSGvwBn.exe
    Filesize

    422KB

    MD5

    55e076ea5ab6769306888d24676ef8e3

    SHA1

    19dc6d18925f31fb1f507d1cd76cbef4576f0fde

    SHA256

    62d8a614a53f6e87d8b06327d0413327b65eeaa08405bed5062c364c6cccca39

    SHA512

    ec4d1426c9b6918d6e20af2444890afba5a6f3b26e0b89d18a51c59ef635d414f955a157507635112d6b4503577f4a57692cefbebb74de2974a425d14b79aaa3

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\SystemAppData\vQ8NAkD8YUfZYmqBDZUm1XmEzjnt90iCVj7OzoQnAQxAKGxjrHaGJuzN.exe
    Filesize

    776KB

    MD5

    9e4122ee2c29c93dd09cbdd861d3aaa4

    SHA1

    a6175eea73678bc22caf47d1440c97568eec7df4

    SHA256

    64755c838023be76469043ac88b77c7ecebdde67826d11c933536fd7d695d755

    SHA512

    ae280206628e2908db8972a14c3e65ee326e93157f236045edad1728bd1269b9ec2eed5a5c986daef1159d534c05c7d4c8a023af399f553d003b688774f6ae9f

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AppData\DhQAiFi44Dk8Bi2hDC9WBzwXVUvnQycyqfdQ5uwDByezu7K1RB3.exe
    Filesize

    473KB

    MD5

    a3c22d743b9cbf773d912a6cc3d0b67e

    SHA1

    09307a851b4c2a9bb3e4dfd2acdc9d9dc1a66c43

    SHA256

    acbb98421cdc9f153a8d83cba60f04856d0da5ad2e8f38474a32412988770817

    SHA512

    01e02ffdcef2a7a2ede130069eafe1e03831889e32983810141f6e6dfdcc3a2f2f22286eb245225ee70fd50916c9092e25cd8f4acf27db1cc266e9a4e2acad4e

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\VJChJjQLelG2OOrG4svTPDCpbLxc8ITVSG6dhh9U.exe
    Filesize

    691KB

    MD5

    437c1d0355bebda0a184039a14bc97b7

    SHA1

    46561c4399729860603285cc773663b2db90bde5

    SHA256

    eb5a29a749601fb2398089ae78d7b8b267c1a35fe83c77e47635cd8f73ee9af2

    SHA512

    5fd345f3ce168b39a27f4298a4913eacc6eaf2721a5c4f8844d594a8738fb67ee9dda85907fdb799bd14868c5875052c2fc2c839b8b4462d738bce941c1f6679

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fx48ci0.default-release\storage\permanent\chrome\PMB8RBKxCJFvs9H4HRlS1GKe7EHvz7rZyGotMGZB.exe
    Filesize

    440KB

    MD5

    8d1e184e0f0d6a590176e59dd3d967f9

    SHA1

    0d4f0b07a9c235f3b56978d1ac367b88769557ca

    SHA256

    aad8f1caf6053280811f53eb096a33beb1ca840fbbe0efd3121913770e4c15ce

    SHA512

    eb028bbd9f7d5caf10063b6cdcfbfdd0324ac104716989f45076d1b86e3e1edee20ffdea0252cc7c67ab09b29e70e23e0b23c1ecdfc9e392a5dd3c75081267ab

    Download Submit
  • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\qZjR8R54w5tf9YBZTdH1E1dZyRZjHiKWBIVGpFq3pQRY54cuPeDrjNORG8wgPwXjfU6LCCO.exe
    Filesize

    608KB

    MD5

    b90eda74d88bc549eb35eb229e9045d0

    SHA1

    2cf066e7947c73971bbc664abc94492b74cce275

    SHA256

    8fb1978b246783a0490b62879f2c7dbb57b098e9a6c91777eb52ebcba6d6090f

    SHA512

    dec74feac016f62f92c7c7da1e6cc6b8ea8ff433315485b7c2488837ebc42dd20eacbf16af18665144646f35bb7b6f8dea87ae5de04f30267adc982aa2917bb9

    Download Submit
  • memory/3460-134-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3460-132-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3460-133-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3676-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3676-138-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3676-147-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download