Overview

overview

10

Static

static

ae5894c9cb...01.exe

windows7-x64

8

ae5894c9cb...01.exe

windows10-2004-x64

Analysis

  • max time kernel
    34s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2022, 09:26

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01.exe

  • Size

    1.8MB

  • MD5

    ef9899724839613d026e95cb1a7fd60a

  • SHA1

    b4325c37c26b27bbc1cba63e413c6ddf56e7f083

  • SHA256

    ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01

  • SHA512

    5fe426c2f5e07678150936975415df1276e64203505bfb680d429834896b0ced4c1c09b51533b91acec0a31d86a345732b625ee40bb60c8acb6b5fbd787e083d

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\Z4mahmvhWb.exe
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\Z4mahmvhWb.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
    • C:\Users\Admin\AppData\Local\Temp\ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01.exe
      "C:\Users\Admin\AppData\Local\Temp\ae5894c9cbb4f058f8aa40da8deebc44fb9772ab645a3df5d62cb23e8ef76d01.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3989055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2276
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\Z4mahmvhWb.exe
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\Z4mahmvhWb.exe" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3616

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\tA7DB24hqV4nyLZRIXXQ3rXuutM9PTUyxqxCjxMFNflB8x844gyMnNTfJyAc0Ih.exe
      Filesize

      1.8MB

      MD5

      d60991f7a9bbf8ad56affd18149460d6

      SHA1

      c999a1d843d12becb423ed2016dc5db9fb24293c

      SHA256

      143df253d3648d9ca01b7e62cdd51f95cd964228eaa47e640810414c2a714706

      SHA512

      3b52468f4b0a165672dca6affa6bd6dd5e123a575666b7e553c64b9c57eb05aa6f772ed69b0acdd8e1e59004ebc763731d38464f9e0179f0142a9abfe021a7eb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Oracle\0lRtbtZfR9V5DvtiAaWPi9y3cQcZ34rcPFqFIWqw.exe
      Filesize

      2.9MB

      MD5

      e1eb1a69fd741d0e5557faeb8a0b1f07

      SHA1

      7b36101532bfaee12a78cb85972c23976041379a

      SHA256

      5b092aad9d19168402b5ff2f75050147d36749b21e4f8c8e59be6d1ebfdfd353

      SHA512

      8a2d738242016262404ed91c2eee3e94a2adf71a955218cec7214c54348c0210c6efd14d067473bc61e818babc236eb632c3b574b6ca539ca013d3242635a4ee

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\Z4mahmvhWb.exe
      Filesize

      2.0MB

      MD5

      f7e27c4379dc099f3fdba99b0ae52741

      SHA1

      92c94803eb9932fc5e1acc3a5b6d9756dafab585

      SHA256

      5c7bfe063ec66b2d51bd99100c6f391c13270179b1b94e5d1353a5bfe45f13fe

      SHA512

      6495d230e1f6e987c38125f9e8ee15240eccdf8bc822c1b5adc860a3bb20dbc3cc8fdac44c74ab25866db6a083f128fbcb386433554a67ca086a1aa6fd2ebb89

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\Z4mahmvhWb.exe
      Filesize

      2.0MB

      MD5

      f7e27c4379dc099f3fdba99b0ae52741

      SHA1

      92c94803eb9932fc5e1acc3a5b6d9756dafab585

      SHA256

      5c7bfe063ec66b2d51bd99100c6f391c13270179b1b94e5d1353a5bfe45f13fe

      SHA512

      6495d230e1f6e987c38125f9e8ee15240eccdf8bc822c1b5adc860a3bb20dbc3cc8fdac44c74ab25866db6a083f128fbcb386433554a67ca086a1aa6fd2ebb89

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\Z4mahmvhWb.exe
      Filesize

      2.0MB

      MD5

      f7e27c4379dc099f3fdba99b0ae52741

      SHA1

      92c94803eb9932fc5e1acc3a5b6d9756dafab585

      SHA256

      5c7bfe063ec66b2d51bd99100c6f391c13270179b1b94e5d1353a5bfe45f13fe

      SHA512

      6495d230e1f6e987c38125f9e8ee15240eccdf8bc822c1b5adc860a3bb20dbc3cc8fdac44c74ab25866db6a083f128fbcb386433554a67ca086a1aa6fd2ebb89

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\G09opaswQRCFDpSUTLW7IQb7G8r43NpdtulxlJA31E1lXzh9WZ8HIyRLXg.exe
      Filesize

      2.0MB

      MD5

      5fbc5870719a575859c0784a5cac324f

      SHA1

      2d6f4248a407f5971ac8c99dca0ddeceb6216047

      SHA256

      6b802892b68b9846f674d8481055244b831082f1ba204f07ee2fe892fee4bb86

      SHA512

      4751712af204250538b50fb0dd10e6fc80a7b9f600568347935654fbc8b58635e6d7b9e02f941cb2a15c3bb0e9ca297af9202de28edc6e9e36b907f01ad8ea78

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\ja\RAl0nx5wi.exe
      Filesize

      2.4MB

      MD5

      e902ff2be6b4a1b6810997107d825333

      SHA1

      5b33e96ff6e40db2f27a88864fcdd7548acb1246

      SHA256

      ae52d7ac862858539183c7b62271222e3a8631d27f77b8dfbe2c56d1fc8224d4

      SHA512

      2c264f73765457d6aa6d92396ba6d85291a7ceedd480acf4856c2c2f3566defa4afbe390f589b69dba69c67b7fd77b1e2a8d27fde24d9ec92c8f48fa457d58c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\tpPAbyKgUpFuZ5Bm.exe
      Filesize

      3.3MB

      MD5

      2b3e9f765c394f546a4ac1e4f7928ca1

      SHA1

      cc0d5ff52e87b2f8750e6556bce5942bf04d9c1c

      SHA256

      9e703cb5aabfa04335403181647b691c8ad20e372e8464d4840edd98f0d03b9b

      SHA512

      c3869ecad8e82717280ebba49fbf26f4e00e797604a6e7dafa7a4c6aa505734c20c2aea0fabf64c6fccefc42f15a032da3cd89b9bd4cbd96f0d1c33aea0d7790

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\input\uk-UA\pl1G6EJAY6B4YXAADDHfVonh5pzB5FaqnTf2M7r0TE.bat
      Filesize

      2.7MB

      MD5

      2a34c08614dcc45366377e73506ae583

      SHA1

      bf5b0c4278c7b01f72705f2d23bebfab79c98307

      SHA256

      45c044a044867222dfc3f8e07557348ae77c2411e97a01cb79899c73fadc2650

      SHA512

      362f251dc21479c6db3b14b41843d9518bd8baeab365263ca13bd825d4c44fa7b10856f408dfb7058cdf0a8913568ce7f4953f4572f1ba980c8eb5cd2e79a665

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\SystemAppData\DN8Jfx8PE6yQfbHX.cmd
      Filesize

      2.6MB

      MD5

      2f84d138976fe8c7a06cd3e47cdd0ab1

      SHA1

      482a14b41ec80e4bf7940377cb2fefefdb2dd557

      SHA256

      f463f94af4a833a088f9d497ef5fe45b9ddbe345ba9dc3000fbe2d5e390abf85

      SHA512

      7bfac86db0eaad14e2c8abcc713fe8ab0bab5e5fb68a7644f0a35c2ba64f68d5f93854bf7bae91e04bc56a59d6d2b66ca383a70e2a0ee8b9ce4d8b69363abc4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\353698\QPAzSV07zTpUM9tV17u6hrxEc4Fv4E6UEUWJSMFwcqGQahBTWTZqXrDN0P.exe
      Filesize

      2.8MB

      MD5

      53b049a9063a4c834f432f6948fb9daf

      SHA1

      c93e9a9e5a23786bf0310c617d7873db4ed2687a

      SHA256

      23c23f036f8305db66af205324d395746a6944117e2836f1c90596575ac31123

      SHA512

      c33c88de6760b0a79132f10e743e762ff5d01dda0ce39f4e94e4933f975470aeefe237b74a4cc5dd16b328db9ca29f9d7abb6cfebdb3f905504c9fe505b04cbc

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\INetHistory\aBRQO69eeNr3jRx.exe
      Filesize

      2.3MB

      MD5

      4cf861ad4acf6853fec1a3e1086319ff

      SHA1

      ec13869a2cdfb8e57e72b7955ca8ec165d044823

      SHA256

      a52a9f2e00f94b32faedbc73ef83a360de0745f7b314808f9e33d104b93f86c8

      SHA512

      cfa4965a6b7def9462c5df48a353ac990fe76a651ccab62ab8f1bd74bd219db427725beada99a2c7b914101d1862130ee6e2ddce04d66f308e07f707a892205a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\pxm2sYQgJFZGXfLyEOqLHCxJ2reso08OZ99hagCkbcdpKu89cKeRh.exe
      Filesize

      3.3MB

      MD5

      c39106fbdef9f96ff99472c91f0a9cf8

      SHA1

      81b46c6f0323930d53cd3d0da55a4f5d42f0dc0f

      SHA256

      018f55ec07d944cc7604768e63e6485f70174e269627a22b1bd243bb47627f7e

      SHA512

      54eb81d9331ad62b721665b85040f31011258203a1676304b0821604ea876b03a75786398de25003ca5a407a81057d3168b7066a17864fa673e1e564258687cb

      Download Submit

    • memory/2128-150-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2548-132-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2548-133-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3616-145-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3616-146-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3616-149-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download