Overview

overview

10

Static

static

ae5894c9cb...01.exe

windows7-x64

8

ae5894c9cb...01.exe

windows10-2004-x64

Analysis

  • max time kernel
    185s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01.exe

  • Size

    1.8MB

  • MD5

    ef9899724839613d026e95cb1a7fd60a

  • SHA1

    b4325c37c26b27bbc1cba63e413c6ddf56e7f083

  • SHA256

    ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01

  • SHA512

    5fe426c2f5e07678150936975415df1276e64203505bfb680d429834896b0ced4c1c09b51533b91acec0a31d86a345732b625ee40bb60c8acb6b5fbd787e083d

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 56 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01.exe
    "C:\Users\Admin\AppData\Local\Temp\ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1140
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:320
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x560
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:632
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1484
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1844
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\iAnYaHo8FWs2SAMHukehSvO95.exe
            "C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\iAnYaHo8FWs2SAMHukehSvO95.exe" 1
            2⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:968

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\BUgneKRyUxjPVdGMVSitMkBGxJaAkco7WOpsai93BHhgg31BXmh.exe
          Filesize

          2.5MB

          MD5

          3cdcaec66e3f4533916bef1414238901

          SHA1

          950c628f99173098093f157e6dc9edb40f877f67

          SHA256

          29d8b9b00530e7370d48f8eff5c40e6a6ad267cad704c7f79ab4f7471b24e7c5

          SHA512

          94f5f9c3b3f5047ef6fe5de896ebb151ddbf92fc373488b3ed44b0cb418be0366feaab173fa42f60cc5cc1b07107c3690e6fba9870fa545dc423b388943c51a1

          Download Submit
        • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\tRaiINlmg9iR1hHHQlTNA0YJai.exe
          Filesize

          3.4MB

          MD5

          3f13cf9698b54e8b23b088dd5010e3db

          SHA1

          1160f7633e5647e5f08a2b009f7137179abcc6de

          SHA256

          9c0e1c096ca56f32d008cbdd770b3684e1a295033488d08c074d879977f7c02c

          SHA512

          171ff021f276dd6eccc94b3f7bd9dd59ffba3325ffb8a14ebdc4e934602f06bc12bf45869fa3196fed395a0096a7518ce48d142a4c269fd2d4b7f151397ef4e4

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\FbeqK8gxqkYlJ0adhBdFYdElMS65I6H3DwikhNqbeujrKa5OLBzZax2UhdP3AN.exe
          Filesize

          2.2MB

          MD5

          5fa028ffbf3f2685e60d07c60ba7c295

          SHA1

          3efed66970ca99633e2a00045779482093ca00df

          SHA256

          2f7d9eae7eaca744f10c1653dbf339c20f6dc0ae99ad0e5eeec85dc84e4d4643

          SHA512

          e14c697cc416c70dea925e956b38b7a90d96e694b0d336e7def965695e6cddfe854a0168807f576bff3aa488f71ac31198b5c4a58040a4ca998c05e1e89757e7

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\iAnYaHo8FWs2SAMHukehSvO95.exe
          Filesize

          2.9MB

          MD5

          904ea02db6f85791120ab732d3a84c9e

          SHA1

          ccb6aab8e27cba16fcc21fce61fc83ba608473e8

          SHA256

          1c76bee8a78041836070a8c27c6d30d85ade269359222a7c53df45eb01d55687

          SHA512

          2ef3b63b2ac640b5881be95dea76a35748d35473680596b29359092d986ffe70e9b336ef39848fb72be6c7d77e0caa6f570f66ec8fe98a2d33c5c109a6075655

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\iAnYaHo8FWs2SAMHukehSvO95.exe
          Filesize

          2.9MB

          MD5

          904ea02db6f85791120ab732d3a84c9e

          SHA1

          ccb6aab8e27cba16fcc21fce61fc83ba608473e8

          SHA256

          1c76bee8a78041836070a8c27c6d30d85ade269359222a7c53df45eb01d55687

          SHA512

          2ef3b63b2ac640b5881be95dea76a35748d35473680596b29359092d986ffe70e9b336ef39848fb72be6c7d77e0caa6f570f66ec8fe98a2d33c5c109a6075655

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\l1TqC3Ok1u1ddN2AMv7Ih9fu5CMf4DUL6fadGC1.exe
          Filesize

          2.5MB

          MD5

          2a522c5acfb32e563cd2ed5ea56fa1a7

          SHA1

          f0e0f1c0bec3217378064d424a071df8e1205e66

          SHA256

          43706d750dd2c0338790eede8461a7f997025b58d1785a020d1bfb74a71afca1

          SHA512

          5af4bb140e0ff18354d69d6f00f208d74455ddfad3e5f6b98cd6df7ddf654520dfa2896bf6071e3a1cc6c6c6801300a14df566d0ca5dc4b28429cfce4baab0ca

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\p2bAcJejOzNs3DYuWN0I9CQXA.exe
          Filesize

          1.9MB

          MD5

          6c91f6362b2a222a8b38bb26aca8c806

          SHA1

          d434c5629f0cc0196e26dca2c34b5fd85263b91a

          SHA256

          61dae108aefd4aca7f25ef76d2e6ad4499575a14f3eba3a82f49ab79588982f5

          SHA512

          670093e97d9077420fa6b74c662d62e5a1879c431fc7bbd1d8501bbaa8cb6149f5a58a5ae27bcd2663f84ec10177399bbaa9305018ba6fa22698ae5231a147ad

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\vVeyGfArOEhSl5EwpA4gb7czl7iAe2KfBhLMNtj36YTOdg9eGvFI9mJYt.exe
          Filesize

          3.0MB

          MD5

          447ef85dc91c8f7ac56bb0a0f39239d5

          SHA1

          124d1071d58084f8a6091b224f328eefda6832fa

          SHA256

          325ff49d1a7c059cab811d34544530e088d2cfcaf5056f68d3a29f93e0da38d2

          SHA512

          28fba6ef64f780e02deddce4528bccde8698ee2828f6d96f97a7e6f324797ab8208e33fa468e9d2be5fc95c91638a35b66149bfc6d56cfa1c2757d8469a0d7fa

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\meu0aZgsrXa1gOVkkwMkbhzWN5YVH8OUbXYlC2muaRTStN.exe
          Filesize

          3.4MB

          MD5

          c429b9292e35523d2c4b5aa9a22b0c31

          SHA1

          0701554f3669c787f000acb96b358b249a252d7f

          SHA256

          40e594a8d4bae12c8c4759313159edadb63ead2127bccdba438def5feba7090f

          SHA512

          73c7ca2f80412541d4661c6630a517ea3e49c95708b39a0887721ec6b23705a49751a48e1d6a07e8caf3e5c499347c8672acf264c139d91ab8db99a8897a2b6e

          Download Submit
        • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\EEvsl2gYtfZ4gQjyhJaq65Xoi7A96w3GnsCdcMK1PVtKYdB.exe
          Filesize

          2.9MB

          MD5

          482e7a9b363facf0fb965725e22d7bc9

          SHA1

          48a236fc1adeb9f06d3b3f48467c9c0033e7f93a

          SHA256

          0b3b1255feb7a0b148ccb075e2f291b2bdffe7db3bd0deca975edbba9bfd15d3

          SHA512

          0312cb2df6480fb0886a591c663f84e67482cc26cd4e84e6f09709fcdbab52c6ead6f6ce224efee61d2f7495600d39d78a5370f1848f3938639f124b42e9f717

          Download Submit
        • \Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\iAnYaHo8FWs2SAMHukehSvO95.exe
          Filesize

          2.9MB

          MD5

          904ea02db6f85791120ab732d3a84c9e

          SHA1

          ccb6aab8e27cba16fcc21fce61fc83ba608473e8

          SHA256

          1c76bee8a78041836070a8c27c6d30d85ade269359222a7c53df45eb01d55687

          SHA512

          2ef3b63b2ac640b5881be95dea76a35748d35473680596b29359092d986ffe70e9b336ef39848fb72be6c7d77e0caa6f570f66ec8fe98a2d33c5c109a6075655

          Download Submit
        • \Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\iAnYaHo8FWs2SAMHukehSvO95.exe
          Filesize

          2.9MB

          MD5

          904ea02db6f85791120ab732d3a84c9e

          SHA1

          ccb6aab8e27cba16fcc21fce61fc83ba608473e8

          SHA256

          1c76bee8a78041836070a8c27c6d30d85ade269359222a7c53df45eb01d55687

          SHA512

          2ef3b63b2ac640b5881be95dea76a35748d35473680596b29359092d986ffe70e9b336ef39848fb72be6c7d77e0caa6f570f66ec8fe98a2d33c5c109a6075655

          Download Submit
        • memory/320-55-0x000007FEFC201000-0x000007FEFC203000-memory.dmp
          Filesize

          8KB

          Download
        • memory/968-67-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/968-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1140-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1140-56-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1484-57-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1944-65-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1944-69-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1944-68-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1944-66-0x0000000000DB0000-0x0000000000DDD000-memory.dmp
          Filesize

          180KB

          Download