Overview

overview

8

Static

static

311bd3b14f...3e.exe

windows7-x64

8

311bd3b14f...3e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    179s
  • max time network
    227s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e.exe

  • Size

    1004KB

  • MD5

    d1e4eebb252d9e664903accc5f35b4c8

  • SHA1

    651e71de33b020747a68538a0a04b1a9f1f90a38

  • SHA256

    311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e

  • SHA512

    8184f295c287dc79632e20371b3e12713a0189e646d63d15ac9c6201ef0ff3de5510ffdc19af5f7d2e20e2dca18577ab53aa85cfb48c508beb926fe6bc6ef062

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e.exe
    "C:\Users\Admin\AppData\Local\Temp\311bd3b14f5017f67aeba0e28d1a45898a8f32f5db659e5bfae2e62efa8a3e3e.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4856
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39e7055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3552
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\Temp\piBuLwJ0jZ3g.bat
      "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\Temp\piBuLwJ0jZ3g.bat" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4964

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\bvek8JpZzsHRw820A009GKko1Xm4HmeB.exe
    Filesize

    1.5MB

    MD5

    f37065abe28fa46088e5726bf11e9a28

    SHA1

    9e49beec585d171f75809eb45b48218ae71dd787

    SHA256

    00f7b1b1ab0548c10bff572c1191a5a04240c24d5fe601b4b95f3f3eea70fc45

    SHA512

    fe2f3ec4428750465227f61029a0901f243d11fa37150f4ce0587e9876f1d44268a944e8ed8f50d6eff0538236ee48b4238721141083cf3b57a05fb414feca28

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\1RgZiQqpqXF9us55ls06uRfStnq3zFKbTsO2Ys.exe
    Filesize

    1.4MB

    MD5

    20d02445384ffefaaff999663506ec69

    SHA1

    49029845d368873c95d926e8a3f0c4467f29782a

    SHA256

    0f24abe5bf6092de31fd4db609355a5ab351e1b5862c1f9688e13b0ace3153ee

    SHA512

    f5829812b4cfbcd321f9fc69e162e3a9584f1658df663541f213ca14e1f915bd7e5b1cb7c8fcdecc6621d220e34c19e50e1ab9d5369865bd12306ccc27449e95

    Download Submit
  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\of1XsQuzMp2VC5APD9RflqxjUkGMC8G.exe
    Filesize

    1.0MB

    MD5

    7a20ad572d4e279ffe13da823b28c924

    SHA1

    eab6af9a9dd334c4703d4fa5f6393a8ec93bac43

    SHA256

    7ff37235695a9a5258461aa5346cdd7a056f5275071f267955ebbbde720c9501

    SHA512

    73e8befbf8202e012fe3b7e9c8412ca2b33ad9714f4b7a23f72ab0fdef4c905c4629ee0f144b2721b958d8570308f92e399809a598e06c0bbad3ee3b3a7ef025

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\IRMProtectors\h77b2DRXZjO9Y1eC6.exe
    Filesize

    1.9MB

    MD5

    623038fe1405a5e20c39dbed1850e7ec

    SHA1

    53e000038eb77581d24c15601a04ace0cd6bb3c7

    SHA256

    77eed22d85828c5eba9f6b46591088d3b0d1a5f3aac85e19c03fd8f13f644522

    SHA512

    30361031332afaee68e2a2cd5e51236365814b682b0e8e10392fe6f86b0bcfbbd9ae2e523dd31ce7da70672feab0188a827c2bded04eb3f415e25315cfd10719

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kk\jBAByx8jykYaPfOZkqGCsOqZPcPb9kc3uoM0RfQPJz3LhAAFmaTjI9AOkMz.exe
    Filesize

    1.1MB

    MD5

    075fc68c6cea18f51961f87f73726095

    SHA1

    6cc42d738b5512961a2e2c888405c58bd7b94c19

    SHA256

    7c2f4bd867d4f701e4b6ebe3c75dd2e97242b334d38bc891cc6343d930664212

    SHA512

    1febfa6cd80efeb0a658a22a7539329192a91fc52b5bfe14db9421cd726ab63f4cf860aa40edfc39b87ec7b33fdea2e12bbab02e9fc57f4cc6a1145551e7cafc

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\64eLBU3dqJiQUFd4wggwmf0L.exe
    Filesize

    1.5MB

    MD5

    4a577cf027edd7d52eb83e4025085fa9

    SHA1

    5addec2b7c2d1d57931db59842edf03b409783e3

    SHA256

    eda4702bc828959015484ebc2e276f3525258cdc2e5aa3ca3e9953d9801ad37e

    SHA512

    2fd57608e0cf46b5a381071fef672a3065b095ac52061db6da1fa13b49f48f399fc5b6019dc6dd3d8ca9c6cc284b30519c5412db0076978a44155b7377edd1e7

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\Temp\piBuLwJ0jZ3g.bat
    Filesize

    1.7MB

    MD5

    0b17a70cf4f0dc4c50d37c1c6cca3443

    SHA1

    a19cdefd3a9c074de5b9d06717b7ef2a9499ca5f

    SHA256

    26f74949518a993ac11c72a303bce0008ae4a076ebf47e7b8bc2692692fcee8b

    SHA512

    afc3f84654bc7df06ea0c1f4a814b81367c487ccfc8822365238f7bb0b62b6a75871c10f84f54cd6207d802799e8ead73cdd752b66742853de177a4ceba420be

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\Temp\piBuLwJ0jZ3g.bat
    Filesize

    1.7MB

    MD5

    0b17a70cf4f0dc4c50d37c1c6cca3443

    SHA1

    a19cdefd3a9c074de5b9d06717b7ef2a9499ca5f

    SHA256

    26f74949518a993ac11c72a303bce0008ae4a076ebf47e7b8bc2692692fcee8b

    SHA512

    afc3f84654bc7df06ea0c1f4a814b81367c487ccfc8822365238f7bb0b62b6a75871c10f84f54cd6207d802799e8ead73cdd752b66742853de177a4ceba420be

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\T5yUmfENQshlqk5tDtqFeJKYn3Chl81.exe
    Filesize

    1.6MB

    MD5

    1f05be8dd07c9de4199c02b33c004db8

    SHA1

    a343e7d25dedf52306883753f4cff7ee01902234

    SHA256

    6293a068a892566031e7a088610d0326bb44759b3ce8f104f6eed53245b86314

    SHA512

    19f61be470bb6cbaecc644aae78fddd8411241b1e9553ec38eb04b6e647a2412c512a1b24aa660acdce982e7366ad3b985b052b07509543e39421e022ff794db

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetCookies\ifjsfRjvAIHspomJPHADCjH1xfyevRY3FT17X7XPJXkBMSjXw.exe
    Filesize

    1.8MB

    MD5

    8db3f20ae904f7c06eb049a0bf67bfac

    SHA1

    a6dc0258bd3cd91d87e835e5f6434dad72c4d5f0

    SHA256

    cff42208c7b67b002d79a4f7de98cf1b5926d6a8d3b1ce2b57c7b3e9f0c87f66

    SHA512

    6b4a3863b148427730c11becbc2fbad22a78e1847034252b61c841d2d07a25b519a829816394a7f18991ea12e9eb5ce93eb1cf03db1cff99f33bcaa3d0b5b245

    Download Submit
  • memory/4856-132-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4856-134-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4856-133-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4964-139-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4964-138-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4964-135-0x0000000000000000-mapping.dmp
    Download