Overview

overview

10

Static

static

194ce01632...18.exe

windows7-x64

194ce01632...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    47s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:24

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe

  • Size

    1.7MB

  • MD5

    4a50ebb7357ed7ad2bdd2aa0b7adb247

  • SHA1

    e95ead1ef996937878dafbc63ec1e2840dbc7b78

  • SHA256

    194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818

  • SHA512

    b0d3edfe5903bc5a02b2ca264c03e0100b82f69260ee6cc68588e8f88346ed38b1ac17b9505c11255dd44d89c45bc0b4ae90e6ba846c9fb48c278692101b098e

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:668
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\GNRleclld8xyldfV1qw1DseqgPUjZ9J2rb.exe
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\GNRleclld8xyldfV1qw1DseqgPUjZ9J2rb.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4768
    • C:\Users\Admin\AppData\Local\Temp\194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe
      "C:\Users\Admin\AppData\Local\Temp\194ce016322f59f52ff8311a77b81847e8330667ddbb476862104e72e6fcb818.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39c7855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1620
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\GNRleclld8xyldfV1qw1DseqgPUjZ9J2rb.exe
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\GNRleclld8xyldfV1qw1DseqgPUjZ9J2rb.exe" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:396

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Ringtones\It3QuRGuiK1zmKHcOiChdIwRWcvcInRZMp1Eu05D2rTW8j3rp3Acm3UkEDHYgGI.exe
      Filesize

      2.7MB

      MD5

      34e5b340c655e18a6c5ef07ca5fbdd35

      SHA1

      922a7a93f4416aac635037779005355b9f505f05

      SHA256

      649b4b5eed00d31166d9388ea03f6b3af3102a512226bea38850962a7f35749b

      SHA512

      b5ba351f8e3c5360209a2a58647b73565e55726a819eed0564ccf8cf3a2229fc762723093e88a3a6a3ede63d776384d2addb79976c066f0db58d8e0c24e0a9e3

      Download Submit
    • C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\7vNVlscOuRh6nRnca8zzOfCumXZxdrAyGfk7EwBlq9FBkkPJYXlZCqCh8b.exe
      Filesize

      2.9MB

      MD5

      87e8b923d566b472c0d9e0c223597b56

      SHA1

      32c13391ded1a042260b0998ea0c20b6dc96e846

      SHA256

      307d04dbeac85b93a69933a60c9589fbad8a078d89a109d6b15448e23a7d125c

      SHA512

      1e9940903c7bf64ce5bb387faa4de81f6d11832a26b07bfe43432e78d172d1195fd7445d5c09d7d740016c3be5d232c4b490dae8578b58fc5d86bc0930aaadda

      Download Submit
    • C:\ProgramData\WindowsHolographicDevices\88JxHzESVkZl1AlMHnRS5j9wNDbjhZvcglMpDDpj.exe
      Filesize

      2.5MB

      MD5

      1223767032e149740914c8132f318474

      SHA1

      50471bc6632682f176bf839d2dc757bdd4af82b8

      SHA256

      9c79a18fbcc49c8c751d5c88253c2ce07b7476bac081ceb24a68f64af9385ad5

      SHA512

      8415d9757c574191d55768cd96a9f22b2790602b46946de128712721b2e1fbbe8a4add06f66dce5159eabbe2135f11b8c32b6d3e69ea073f863ceda4fee75d28

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\8CMSCV1EgetIOcxBVrCKrvaSf24KlzAjL.exe
      Filesize

      4.4MB

      MD5

      241f5e1b497fb66659a7defa5545307e

      SHA1

      417355d910ed0fe0dfa2485ff390a2027a51c32e

      SHA256

      d3f51ac2ebfddbf2e9e953ff4b2418c5a60ba05418104413b32177b5e37e0433

      SHA512

      687998c0edb7d5433b8e10076d93670cbaa95a431708fe1ce67b954e9aa4158772c822cf36fe3a83ce4cc9b32940e3b1414f79e59debe5091b4165c1569c6626

      Download Submit
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\2MCdvnsCx7TvX3yW.exe
      Filesize

      2.8MB

      MD5

      1fff99af8d8c0a84dc139ec5672cdcf1

      SHA1

      96c5ec313c3d8fc137f56f44490cd60650ec48a2

      SHA256

      fae2623a0d88d3180dbed397b308fb254edf0d851c0dd1d89b04620772253456

      SHA512

      8ea9c79f72cefde67851697ab2f5d8c0b612f52aa0e2d143d9bf94d073c5dc127d5b4f6a2fb3d4819d7e25f45ab0bb9b3bdd41a88da22f44d81e98f75c7e1955

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\RfJpaSjnDQ0If0T8otwGOkrOjrxSmXNS5.exe
      Filesize

      3.0MB

      MD5

      c266c8e8c41add8c0ad35ee53734f196

      SHA1

      7476293d70a348492b619280e5b6b036ffe4fd82

      SHA256

      dc7fc6806cd5ba659c3b595bebcfeb59f5115f2a4fa4a143697d10aa7818e40f

      SHA512

      848c6f05333083592f6dc4f8b0c2e7dd2ba113898f189d0f09605593052c5d6de40c8d58ada25dafb61d2282ccfb0107ca57a30c05fe1e52379f7d0413a776c2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\nl-BE\7bEvt1sq3WJtAFzwXgEUqkkR7ayznynyXQql7TNqTr3UcCH97mJEMzQyQV2iKT9gj.exe
      Filesize

      2.0MB

      MD5

      7379c43554f83a42382a7eb2cdc57f2d

      SHA1

      ce0a9e7b31213c1b6ec163ca348f0d5e76c67b54

      SHA256

      3306b9530c412f16020559bbbd21cfb4392841402a4a66d155d95e322c55d6a6

      SHA512

      bdd6cb5c38d8d923e33ae8c7c5d71976e0d6ee582c18350eeef9636dfa02a88402425bdff517dcee029c8b0d28d207dbd9f5255d7d87d37bc902a65a491b28c9

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalCache\YMCkoZZ0dryH.exe
      Filesize

      2.0MB

      MD5

      8a923c091c5f97a710c63f80b9bd4eec

      SHA1

      e4bc35e7ad8eadebe7fcd45e58fc3ab12a727d40

      SHA256

      9f3c162aff787e6294537ab6b186e07b9271b5bb34011a25d2b24968b95982af

      SHA512

      2d11e8e80b42c2918151484bd9a58fccaf072d15f23f176dcaebb5d055a02194a3709e4393725bd1eeb018f11cab702be5cd5586ce634248aaa08487262adc86

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\GNRleclld8xyldfV1qw1DseqgPUjZ9J2rb.exe
      Filesize

      2.3MB

      MD5

      931ab8501555a23a6a2f4f7d6e3cca27

      SHA1

      e3f99b63c3fe5378ffc2b71e9d4b2c71c1b9a1b9

      SHA256

      90265278d716969f729a57e82ff14d20129344f789d5e649b899675f7d83199b

      SHA512

      5c93c7cb3dcba28af4f24a5d7146ab36ab2d79bb83a1e8f591a3793f8cfa161dc50d2a89925c9fa750ffc29eaeab5ef6bc5f6994871066ce1e9fbdb3c9d23db9

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\GNRleclld8xyldfV1qw1DseqgPUjZ9J2rb.exe
      Filesize

      2.3MB

      MD5

      931ab8501555a23a6a2f4f7d6e3cca27

      SHA1

      e3f99b63c3fe5378ffc2b71e9d4b2c71c1b9a1b9

      SHA256

      90265278d716969f729a57e82ff14d20129344f789d5e649b899675f7d83199b

      SHA512

      5c93c7cb3dcba28af4f24a5d7146ab36ab2d79bb83a1e8f591a3793f8cfa161dc50d2a89925c9fa750ffc29eaeab5ef6bc5f6994871066ce1e9fbdb3c9d23db9

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe\LocalState\GNRleclld8xyldfV1qw1DseqgPUjZ9J2rb.exe
      Filesize

      2.3MB

      MD5

      931ab8501555a23a6a2f4f7d6e3cca27

      SHA1

      e3f99b63c3fe5378ffc2b71e9d4b2c71c1b9a1b9

      SHA256

      90265278d716969f729a57e82ff14d20129344f789d5e649b899675f7d83199b

      SHA512

      5c93c7cb3dcba28af4f24a5d7146ab36ab2d79bb83a1e8f591a3793f8cfa161dc50d2a89925c9fa750ffc29eaeab5ef6bc5f6994871066ce1e9fbdb3c9d23db9

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\SystemAppData\rifEdxyIxR.bat
      Filesize

      2.7MB

      MD5

      7991d891f2269198a7ba5d43aa04ea23

      SHA1

      e1874ae894f4c8279d1b1af35156050c131f64d1

      SHA256

      ddde2fa422f85941e4cc7df8e43f147d7fc578a0e96a53b3f3541f1da0c96cab

      SHA512

      0b3da35eb74d8ef2954bf8581ff2678b070397ca887ec0624bb72b5d2ecff7c66b78f41ca478fb16b89186a024775983f71614b7a67345703f78c421a26c3ff5

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\PNXHMZV0\ZpCKGRG8GzayuPZkgaCU8XGz.exe
      Filesize

      3.4MB

      MD5

      e9c057271d293b98717456d88d17620a

      SHA1

      f36056ae862558df6e54d8b834d90485e0f24341

      SHA256

      d999ba5e0c6eaf17f7a280f0eec9df80260e0218929440deaa98b5fc26180a72

      SHA512

      27b59ec5e95f78559c0cb804d764f7279fc2e9613a91b9ce95dda0d05bffee0f043bd4217658aafb6fe2059e9f73324e9460800e3b1cd1f07acded92231facac

      Download Submit
    • memory/396-137-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/396-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/396-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/396-135-0x0000000000000000-mapping.dmp
      Download
    • memory/1352-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1352-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4768-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4768-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download