Overview

overview

8

Static

static

311bd3b14f...3e.exe

windows7-x64

8

311bd3b14f...3e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    184s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e.exe

  • Size

    1004KB

  • MD5

    d1e4eebb252d9e664903accc5f35b4c8

  • SHA1

    651e71de33b020747a68538a0a04b1a9f1f90a38

  • SHA256

    311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e

  • SHA512

    8184f295c287dc79632e20371b3e12713a0189e646d63d15ac9c6201ef0ff3de5510ffdc19af5f7d2e20e2dca18577ab53aa85cfb48c508beb926fe6bc6ef062

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 58 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e.exe
    "C:\Users\Admin\AppData\Local\Temp\311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1440
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1340
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x47c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:668
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1928
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /Shutdown
        1⤵
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000073E7\prEzx6iJDO7RugzftmbZRGgjQ6PuIleXQUUkrObiLwA2b.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000073E7\prEzx6iJDO7RugzftmbZRGgjQ6PuIleXQUUkrObiLwA2b.exe" 1
          2⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Sets file execution options in registry
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:888

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_3eb5ea8473594499407cacbd9887e2953d50fd80_cab_04248dae\eUIutYcrEmCNurPwLvmh3VWuUn3zWO0BbaPb4jyTTPGA9IyJu3URadUo3yZgOc032.exe
        Filesize

        1.8MB

        MD5

        32216577286a20779444e74d18164576

        SHA1

        5c695b7dcfdf1f2cb76abe40becd7b1978674f4e

        SHA256

        3ad86bf456ff521b0a4a7d2d3f6fa94fb015881ca56a90577506369ba5fba327

        SHA512

        34cc9e5543b8345b5a66e94a0e8429d825f4e73f8300ac259d5c0fb3cb168f10d668441a6953513d21fe5cd393dff710de8f36aa0a590e4e469eb0ad3f8463bb

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\12eBliM5a12hQom4lYPe95UeGT6j4Jv8cfhMmo30dj7fZWnAjjccM72UyYfhGhm6f8HHz.exe
        Filesize

        2.0MB

        MD5

        6e9a31ebd9b0b612dae1bcb555b494d9

        SHA1

        f9395e5daeeeb765390b2819e36610d0fe9684ec

        SHA256

        ce12c1e8d45f6d51a3c4c9e7d65819c208a193cecf5834ab10ca3637b798ff13

        SHA512

        a83deebacdca3c6e66142195ad6a0f0fb0a9190c6b0fb95c051e9271ca7d7a5e75f0223d3b04117ecad2d14fb8b13bdc15bbb22e41497722fb364cf0c3da14dd

        Download Submit
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\WidevineCdm\7nzqnRa0zJbntY4JGpIVCaVUtDLp5wlfrD3scjexPo9cfRfHOl.exe
        Filesize

        1.2MB

        MD5

        ea67ae070920ed702df5b349d20c501f

        SHA1

        511fdf5f0a2a25ffa71ff75e811bdb4bb871084d

        SHA256

        1bc2f2ab16aef430e36d3612d79e4bf1b51ed8ce53da469b2e0ca6b6eddb3828

        SHA512

        14d047a699ea8a3fb8139ce0f461bbcfb3a7f685b2d8606d029d65ed91e37af60b9d046a0414fd698e67c299b955dafaa6db9537128fe5f04e45735a54edc3ae

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000073E7\prEzx6iJDO7RugzftmbZRGgjQ6PuIleXQUUkrObiLwA2b.exe
        Filesize

        1.4MB

        MD5

        748b2eabd49182b199729fd0a8e5bb02

        SHA1

        74e189fa819b207f941b98c3ca71f40b5a87ecb0

        SHA256

        5ea560496dfbd6e8c3f98d4bbb0bb5d4d097451791e08493adf53cd6351084cf

        SHA512

        d0a99c06e476867c8f92a4a54718b8209547b6f5f21db2772ce12e41ea470655cf00ba417da32cd143c870d02dd9ae66c4bae8ad169e3da965079fd04d38b49f

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000073E7\prEzx6iJDO7RugzftmbZRGgjQ6PuIleXQUUkrObiLwA2b.exe
        Filesize

        1.4MB

        MD5

        748b2eabd49182b199729fd0a8e5bb02

        SHA1

        74e189fa819b207f941b98c3ca71f40b5a87ecb0

        SHA256

        5ea560496dfbd6e8c3f98d4bbb0bb5d4d097451791e08493adf53cd6351084cf

        SHA512

        d0a99c06e476867c8f92a4a54718b8209547b6f5f21db2772ce12e41ea470655cf00ba417da32cd143c870d02dd9ae66c4bae8ad169e3da965079fd04d38b49f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\REYRs32rf7AnTSt7HS9f7XN4t8NZG2Augl.exe
        Filesize

        1.5MB

        MD5

        ab8b1d2518925cb69b6ac7f535d0dcb5

        SHA1

        82eccf424762d0608c562f30e1e82c3bd438739a

        SHA256

        85decbf5db0b08b49450ac23de22b6c9bd5b817a4ab1097fb6efc565b6a1e1ab

        SHA512

        76c80cde515c491ead782e226ae54f6a506d2eaea46c17999bf4a3dc95dde911de7759633609b64150795cf64f9b21bb75d811968cee5b9ff57d8c2115b8d7f5

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\yTWzgQDOdiY3mIiSWkAFuAqM8XNtlbyl2DP4X4FNKeunotgOP4ByHyLjx9tWgi.exe
        Filesize

        1.3MB

        MD5

        8a16fa1ed17ad0c067ca20c58e79eac7

        SHA1

        87966d7542744feff1a99f8e7a5e599acf0cee8f

        SHA256

        ee7712560b783e01e71a02797cdd0de049fbf377cf7cad2eba63af4b49e3a5e3

        SHA512

        f9af9a6d998ec0d7663cc54b87a163a6e690d68874b1fff48dae67f09833f9e7a35b44debe3fb6ed11cd82b6f6c234ab561bc4a9159df0c0a4d5b0119b87312e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\sOPYFIVP6K2YB72i3AlX4VwS9VA43S7djX4FZSvgOCvaHHK4.exe
        Filesize

        1.6MB

        MD5

        58410efec7e7e183bbd8dddd46d9a867

        SHA1

        6fe2cccf8acce499a6a7851f0b2bab969a0fb9ae

        SHA256

        c839fa1e14999cd753a7af039965abd0321218c3bc4d8f9d47623a321486080f

        SHA512

        b266f5be48c3748b6283d8f4dc16ba93363f88219bd6107d55956ee63b4865c594742c5b02d9dbc890814919435f6f9a7ecbaf8bd4baa1b4a3f07241b18a608c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dozshqpt.default-release\sessionstore-backups\OKv2gj1S76JufhEuYGQGN8VHqGimcynCaT36EjkE78KuVDb6Yilas.exe
        Filesize

        1.7MB

        MD5

        4e173b953d1c6502e1b4ae60b535b1d7

        SHA1

        503ca9a37a64142a68d3b7adcc480a7b9605b1ae

        SHA256

        7ffb730b237696e784d526c69e9d11308579ab6b5abe4c4b1d38b15b52b1118e

        SHA512

        1fa95814b9ff5f0d655f3a6cf7960ca77cc9c1cd0df9958ab8f94f589774719624575d47475dfc81489727c9c80c3fd9707f472c75ec97d41f03b6c255eec548

        Download Submit
      • C:\Users\Admin\Pictures\dKtEXxT5wHPHBJObDcEBVGORVO3uFpoOHz3qHOsDcSV3lKD.exe
        Filesize

        1.2MB

        MD5

        a9276862facec04cd3c0de349ab5f9b6

        SHA1

        1ec540750f1c1a7d085a00f4f3d3291f4c22ab3c

        SHA256

        0b2ca22b7de22df1e11a5779054343ee2d861a07a1693919d751e7cb209947d9

        SHA512

        e9d5c090978ea0de54d25f7215fa0ad0561c1e1342a645329407a89913341cd418803c2a3ae3325d3658bdcf55bb4caac5b18d2d12e3521fd75867ec95593c93

        Download Submit
      • \Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000073E7\prEzx6iJDO7RugzftmbZRGgjQ6PuIleXQUUkrObiLwA2b.exe
        Filesize

        1.4MB

        MD5

        748b2eabd49182b199729fd0a8e5bb02

        SHA1

        74e189fa819b207f941b98c3ca71f40b5a87ecb0

        SHA256

        5ea560496dfbd6e8c3f98d4bbb0bb5d4d097451791e08493adf53cd6351084cf

        SHA512

        d0a99c06e476867c8f92a4a54718b8209547b6f5f21db2772ce12e41ea470655cf00ba417da32cd143c870d02dd9ae66c4bae8ad169e3da965079fd04d38b49f

        Download Submit
      • \Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\000073E7\prEzx6iJDO7RugzftmbZRGgjQ6PuIleXQUUkrObiLwA2b.exe
        Filesize

        1.4MB

        MD5

        748b2eabd49182b199729fd0a8e5bb02

        SHA1

        74e189fa819b207f941b98c3ca71f40b5a87ecb0

        SHA256

        5ea560496dfbd6e8c3f98d4bbb0bb5d4d097451791e08493adf53cd6351084cf

        SHA512

        d0a99c06e476867c8f92a4a54718b8209547b6f5f21db2772ce12e41ea470655cf00ba417da32cd143c870d02dd9ae66c4bae8ad169e3da965079fd04d38b49f

        Download Submit
      • memory/888-62-0x0000000000000000-mapping.dmp
        Download
      • memory/888-66-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/888-76-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1340-55-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1440-54-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1440-56-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1704-65-0x0000000000C20000-0x0000000000C4D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1704-64-0x0000000000C20000-0x0000000000C4D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1704-74-0x0000000000C20000-0x0000000000C4D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1704-75-0x0000000000C20000-0x0000000000C4D000-memory.dmp
        Filesize

        180KB

        Download