Overview

overview

10

Static

static

73826a30c8...5e.exe

windows7-x64

73826a30c8...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:26

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e.exe

  • Size

    1.1MB

  • MD5

    9a403a1699c0d385339a52e6f9bcd0b6

  • SHA1

    0917e5c0f4b22a73bb35439e5447dedb5f8b06a0

  • SHA256

    73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e

  • SHA512

    d9db63c2c85b653c269ce78e3e24d3d5dfa10fad6e1a2b53d0e19a88aaa1ed697db1d86c2a3376899a8f7aa9bbbf7fe7ecc9b7a1dd1950192e135f83c352af0d

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 59 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e.exe
    "C:\Users\Admin\AppData\Local\Temp\73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1620
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:580
      • C:\ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
        "C:\ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1748
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x514
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1076
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:704
          • C:\ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
            "C:\ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1968

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\MSDN\qxrMRchK47gVko6AL63FzPUqltU.bat
          Filesize

          1.6MB

          MD5

          792654a8f946f2b7503ca17ab4cafc48

          SHA1

          7e5ca28fe5e8bcc11fedf9bf6b057f5c8b30a58a

          SHA256

          9e009bbb50b4c6ad08af3d3bdf5db5e7b4cda62a8a6ae78814d93adefd101186

          SHA512

          a7bc6812c315b8d695dc7af2080c24d9b8ba6b1ef47e8c62fe2d21c07d8ccde085274793c625c4703a1ab16c40cafef5c3b86bf07fc728479a7c7d13de30ee14

          Download Submit
        • C:\ProgramData\Microsoft\Network\vI74YtgASSJEOpLEBUZHQhMtb4Mqh5Wk4.exe
          Filesize

          1.8MB

          MD5

          e3aa8c870ec3b40234a9f319ab760348

          SHA1

          4eaad1f77afafc0306888237ad42c1c1c6ee921b

          SHA256

          b962b0ed62f6ef9ffa11b5c51909a07a6e9e724801c9b2e0bbc793cb072bed23

          SHA512

          49546e75a6a97a5a1db0bf4a4796d2e41c7c2149ee0c226b310bc43e23aa00fabda2afb9b288f593742e755cbc11ed30a672c8285f3aafc07590e4e7e2c78ad5

          Download Submit
        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\xzr9TzyA8iZoMaBwrrgkPVBdN.exe
          Filesize

          1.5MB

          MD5

          e58e1b6bbe9c63b3fac21b5384267ccb

          SHA1

          3adb50151adfcd24c79ef7115c78d6ab9fda7c85

          SHA256

          c75a9c93b62f4c625afab34e11816f5358e9bb79cbe9df8fccf3151cb2379b97

          SHA512

          c1085eaf3b2c66687299a7e18c93abc9f2c4e4d36d603b2e05ae52e483fbccd27764f13cda77aa8a6e62b22a46959eb5ece29ea01471ece1f5721c46a8f920a8

          Download Submit
        • C:\ProgramData\Microsoft\Vault\EVHOyVvnUfqDYl.exe
          Filesize

          1.4MB

          MD5

          4bf7890f23c3c69a018c448f26ac50f0

          SHA1

          8d032dd65ffaeb98c673cd550fe3fe8e840e8312

          SHA256

          d2dacb7329dc3d603daacd338d4ad928b293e32aca3f678156131791a684140d

          SHA512

          f5152125f249eac6f3484bda80dd0ae648df37ad2634bfd966477d7b4e0cd6e4ab7b8466bafec10b8c2ea589709172c3e573b8da8dbf0e672a44965a6907d458

          Download Submit
        • C:\ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
          Filesize

          1.3MB

          MD5

          87feedb3cae8c5bba0ce837900ab9605

          SHA1

          55fc4654b519aee20559be2a50549ebb2e753c9a

          SHA256

          07931ae380eebdc29349e1ab977dd130b6094393306bede6efeb601e7d14dd95

          SHA512

          e5b57f5a1f000033cd360e92b82a7a282b53bca9d516ebdb7fa90b041ba13630f690ae6ca37a9a898ca52efe0a039e95461d818fdd6dce651ff6a00640cd438d

          Download Submit
        • C:\ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
          Filesize

          1.3MB

          MD5

          87feedb3cae8c5bba0ce837900ab9605

          SHA1

          55fc4654b519aee20559be2a50549ebb2e753c9a

          SHA256

          07931ae380eebdc29349e1ab977dd130b6094393306bede6efeb601e7d14dd95

          SHA512

          e5b57f5a1f000033cd360e92b82a7a282b53bca9d516ebdb7fa90b041ba13630f690ae6ca37a9a898ca52efe0a039e95461d818fdd6dce651ff6a00640cd438d

          Download Submit
        • C:\ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
          Filesize

          1.3MB

          MD5

          87feedb3cae8c5bba0ce837900ab9605

          SHA1

          55fc4654b519aee20559be2a50549ebb2e753c9a

          SHA256

          07931ae380eebdc29349e1ab977dd130b6094393306bede6efeb601e7d14dd95

          SHA512

          e5b57f5a1f000033cd360e92b82a7a282b53bca9d516ebdb7fa90b041ba13630f690ae6ca37a9a898ca52efe0a039e95461d818fdd6dce651ff6a00640cd438d

          Download Submit
        • C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\pLJIrCGOz1PPJtQl2oYrEFrs5RTCmq5uI96DGvfH31pvwzv8sJ.exe
          Filesize

          1.5MB

          MD5

          a7db0f4e3f9dc48cda9476b8b88dceaa

          SHA1

          5bda60d315a166e399bc44566bbaf05c690077f1

          SHA256

          69c2422e7df8659c60c9000f8f73c26584afa6af585d9f010aa89d7944575c4f

          SHA512

          92d12f9b6df673991c2326a5be3e5cd85ab9a8eba5b55fcd958d7dd0d4bf4bfe83ca926b92f7321f929f3ae27e1ef05e15797e60afadc41bedbf9bcae2dbe832

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\17PlG7saxZZ3oY9cSciio3qQI4jT05ueaJyxa2LaD12A4tvZFW.exe
          Filesize

          1.9MB

          MD5

          f339410981a39644c5526397e1b3a3a0

          SHA1

          8aaf0c86a4ded19839b858739656ddc0850090c3

          SHA256

          6fe1cccbdc8536aaf280d122430b3385187d0c402849409f700399e0b879684f

          SHA512

          9ca7dee73f617c37b2dcd97163a6a84952e9f7bb268a5e4416ed265c34fc5902a4d2ce3e94f4fb1694b22e20d9ee2ef187aadd3112c266c3b6f4b0e05cc1dad3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\mQGZHMw0Bqqv5Fyv0lqtFKXLbL8osl7Zosvw3N0SH9Q2.exe
          Filesize

          1.9MB

          MD5

          65f8bfc8a64ab99f6f5cc015da79019c

          SHA1

          5cd3401a94f7d2b0825071872f0da3a2c32efb76

          SHA256

          28bd8f3a5fdcbe63d51b165c2f14a64227c1fef1765c88e3dba64cdf0c5038a4

          SHA512

          01ab32bbf894b68d05f285a672e982ceb937e5073de873f7efaed3935b07fe569f94264f9a6a70bb7a886d86cc8dd84cd98f2e87531039a84ca49ff88f80a82e

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\ZUXKhMFkU0mYdTv8Pb2xTpGQ.exe
          Filesize

          1.5MB

          MD5

          445cee7355c9543d196ec28ff363ef47

          SHA1

          77354e511e8dc8c18f6154be53080bf1865427a7

          SHA256

          93b86d7af5d8208d5ddfb160926888da785ec757597b7e877218d6759604ae84

          SHA512

          28f6905ef992ef4238a44e60ee491dd21b84ebbe8b89f748e2f1c7044eb05a0c77f85308229761eb81e1b72c7b54ad89c96381e10c0378c93f1f4747da73a364

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\e9Q3x62TQDxr60dMfVGFLO5Zq3wNMetw09.exe
          Filesize

          1.4MB

          MD5

          92eb02a841a9bf50baea9e0a8be96c64

          SHA1

          78194a83d73f5f3d5f333501f0bdd0099941d608

          SHA256

          8bed71a900d5af070a06f6cff8b62f284a4a91cf2f0069847bd6247a914aca0d

          SHA512

          d4b99d056f42f253d6facd54d6e7f6bea982d04902ad537e7c908546f3f3c2f2c52cff8dd5d4fd0776c8d000e9a4e6edae23a92c61d7d7f81005cb15c4bd1c9c

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\KrvaIhgjddgnw5wgbqGkuCPHIhF60tLevogQt94kUSJ3DHscf2i5MCtzY7EklgF8yQgMT.exe
          Filesize

          1.4MB

          MD5

          ea5f9ddd78689513fe862c8c9978051a

          SHA1

          497e7f5c352af7893dd50872a097f267972ab188

          SHA256

          1aa247d77e073b832fde067490e2ae044e30818b0a771703b34615d139ecf8f2

          SHA512

          ed9fc95838a3259dcaff9578f09aaf523da5dbed0e9bfefc6e362910b36bd86e42c15f1fc293df6453d44b9760cb8c1e3252c24e2b75e3a40c8564413061cc58

          Download Submit
        • \ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
          Filesize

          1.3MB

          MD5

          87feedb3cae8c5bba0ce837900ab9605

          SHA1

          55fc4654b519aee20559be2a50549ebb2e753c9a

          SHA256

          07931ae380eebdc29349e1ab977dd130b6094393306bede6efeb601e7d14dd95

          SHA512

          e5b57f5a1f000033cd360e92b82a7a282b53bca9d516ebdb7fa90b041ba13630f690ae6ca37a9a898ca52efe0a039e95461d818fdd6dce651ff6a00640cd438d

          Download Submit
        • \ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
          Filesize

          1.3MB

          MD5

          87feedb3cae8c5bba0ce837900ab9605

          SHA1

          55fc4654b519aee20559be2a50549ebb2e753c9a

          SHA256

          07931ae380eebdc29349e1ab977dd130b6094393306bede6efeb601e7d14dd95

          SHA512

          e5b57f5a1f000033cd360e92b82a7a282b53bca9d516ebdb7fa90b041ba13630f690ae6ca37a9a898ca52efe0a039e95461d818fdd6dce651ff6a00640cd438d

          Download Submit
        • \ProgramData\Microsoft\Windows\LSQulSw4052L3cOfpCdfxJ8ogMLA.bat
          Filesize

          1.3MB

          MD5

          87feedb3cae8c5bba0ce837900ab9605

          SHA1

          55fc4654b519aee20559be2a50549ebb2e753c9a

          SHA256

          07931ae380eebdc29349e1ab977dd130b6094393306bede6efeb601e7d14dd95

          SHA512

          e5b57f5a1f000033cd360e92b82a7a282b53bca9d516ebdb7fa90b041ba13630f690ae6ca37a9a898ca52efe0a039e95461d818fdd6dce651ff6a00640cd438d

          Download Submit
        • memory/704-69-0x0000000000C20000-0x0000000000C4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/704-68-0x0000000000C20000-0x0000000000C4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/704-76-0x0000000000C20000-0x0000000000C4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/704-77-0x0000000000C20000-0x0000000000C4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1500-85-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1500-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1620-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1620-56-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1748-55-0x000007FEFC161000-0x000007FEFC163000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1968-70-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1968-82-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1968-78-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1968-62-0x0000000000000000-mapping.dmp
          Download