Overview

overview

10

Static

static

73826a30c8...5e.exe

windows7-x64

73826a30c8...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e.exe

  • Size

    1.1MB

  • MD5

    9a403a1699c0d385339a52e6f9bcd0b6

  • SHA1

    0917e5c0f4b22a73bb35439e5447dedb5f8b06a0

  • SHA256

    73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e

  • SHA512

    d9db63c2c85b653c269ce78e3e24d3d5dfa10fad6e1a2b53d0e19a88aaa1ed697db1d86c2a3376899a8f7aa9bbbf7fe7ecc9b7a1dd1950192e135f83c352af0d

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:676
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\tYeCp9tQMffbu0tfTYr1tmO5hBCKTrFllzhMnG.bat
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\tYeCp9tQMffbu0tfTYr1tmO5hBCKTrFllzhMnG.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
    • C:\Users\Admin\AppData\Local\Temp\73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e.exe
      "C:\Users\Admin\AppData\Local\Temp\73826a30c843d893db56ab17e297b23440289724c83b90ee0c36bd74ff86e75e.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4780
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39e9055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4540
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\tYeCp9tQMffbu0tfTYr1tmO5hBCKTrFllzhMnG.bat
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\tYeCp9tQMffbu0tfTYr1tmO5hBCKTrFllzhMnG.bat" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4512

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Storage Health\ulGTtEin58lGcdJRbq.exe
      Filesize

      1.5MB

      MD5

      3b8bfe8a161a34adca5c60f9d2a752a6

      SHA1

      3fd4dbb6cd7e9bf0e96894cd4af2f53757774e2a

      SHA256

      648e6a2f38cda6384c869ed26ecb0a43d43d5e636ceb30968ebe9e064a867237

      SHA512

      2e121281383a0efc618b2a2ecc9563c99823d72a53ff5c9c7dabcb92bff96dcd2c46ddc2fcf3d0e866fa44505a3bfd692662af71c946f4b3cad3ff1084d8df97

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\kJZhOGansQPRI2QxE5Q5V2Al8ZQZbTLBVPM8Hlq2MY3n5.exe
      Filesize

      1.9MB

      MD5

      a5f930811bfdb36ef7fa615eae53ed82

      SHA1

      098acedefee57cd8e5e9d49ee87990bf5fb66985

      SHA256

      120b15799bf6037fe30b0cb0c1062a589f06d407b5d3381abb748448df06c0b7

      SHA512

      b0e2d4778c3458cda41a452e42b7ea5cb60cd0c82fc1175b3a4bce881a26b2a65e84b1859e552556c1301b492aa09596bcf43d2df888ab5d186726c57287b59c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fa\DWShXNwMCjPrYmxiOlo8vdsYAnC3yIz9wVil8IZRSfA4h4.exe
      Filesize

      2.1MB

      MD5

      4152a270f2b4159b2c159e469c84d0e4

      SHA1

      2db6496978c7c5faae62dab7f1339272fb801bc9

      SHA256

      7b540df66f904743fbe66b2fb707f89bd55a25ed98b5f5243c007009a52be3bb

      SHA512

      52174acd8644d2c0b4367541a8f62c97f3680ae1a74fb78cbaf5143db01930a1d36acc578799653d9d5a226389ebc5ca3d818999a342d6fbf1dab1ee8309df01

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\tYeCp9tQMffbu0tfTYr1tmO5hBCKTrFllzhMnG.bat
      Filesize

      2.2MB

      MD5

      52e69900d9d83ef7bc79abce236eca92

      SHA1

      8e4c28d4c838372baa780782f990326f9f347ae0

      SHA256

      cc3071454e71aa87121d2602c7e7edc524313e468630b1509919350ef87b1669

      SHA512

      de3c5b9ad184b22c335f75b71ba4148c4c209a62dd25c4089d5a5d74f93e07a1379fe0c0e0652146890ce88cb87795500c83e495644301ff89fd9227552da156

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\tYeCp9tQMffbu0tfTYr1tmO5hBCKTrFllzhMnG.bat
      Filesize

      2.2MB

      MD5

      52e69900d9d83ef7bc79abce236eca92

      SHA1

      8e4c28d4c838372baa780782f990326f9f347ae0

      SHA256

      cc3071454e71aa87121d2602c7e7edc524313e468630b1509919350ef87b1669

      SHA512

      de3c5b9ad184b22c335f75b71ba4148c4c209a62dd25c4089d5a5d74f93e07a1379fe0c0e0652146890ce88cb87795500c83e495644301ff89fd9227552da156

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\tYeCp9tQMffbu0tfTYr1tmO5hBCKTrFllzhMnG.bat
      Filesize

      2.2MB

      MD5

      52e69900d9d83ef7bc79abce236eca92

      SHA1

      8e4c28d4c838372baa780782f990326f9f347ae0

      SHA256

      cc3071454e71aa87121d2602c7e7edc524313e468630b1509919350ef87b1669

      SHA512

      de3c5b9ad184b22c335f75b71ba4148c4c209a62dd25c4089d5a5d74f93e07a1379fe0c0e0652146890ce88cb87795500c83e495644301ff89fd9227552da156

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\tMPWORDkVgMaLjgaCFmNYqsY5iP7jTqN7JqfCaJtpBGmdQzGy20l1acH6XH5bvQj5EHSmb5.exe
      Filesize

      2.1MB

      MD5

      eb9d906d34937898a95e446eb39945e3

      SHA1

      c0778355412dbb6aae56afae37ec6f0ef20d3d59

      SHA256

      583b1adfe009b1b540c68b3523478ef9f09bb7665db0b2b110da0c34b3dfdc3c

      SHA512

      52a354f6c809468e0c86ac9d81d01a8b8b6687951a6b41ab3060ab1e07e255dc9cb969ba284dbb1cc74eb8d0ff38d1dcc1985aea0ffb53aae45f4f85ab84ee84

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\BDWAxEfvw1pCctQmEYTFPSwhpWHYBtkO83n96wAAvURedJDaRzRV3ZHieXPU.exe
      Filesize

      2.3MB

      MD5

      4879d526a9026c0f0b52fd433c184903

      SHA1

      46a6e120458e0b81b611f2d0967c31e885cb18ae

      SHA256

      78847c39896496fe995248cf00f7086c508ff961763952578b41590bbed1f213

      SHA512

      ef6cf2bc5747152a43505b8e2a6c8afc5a65c4e5b577a6df6136c9eb65855a31021a5a86f8a15e461569f4f6ed0de6515d2becede1d73e9f37f2e9065d9fb79a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\RoamingState\UgB6cBt08P1ZfMSQdwxkpm.exe
      Filesize

      1.7MB

      MD5

      476bacf24b8fe1e61db58a80ad17d5dc

      SHA1

      0dfee432e9af0df14bba89cdab2846a5673077af

      SHA256

      1a2be43dee3bed94f5e88039cc8aa629c62c5d157a247c5c396db1deefdb00e7

      SHA512

      47cd1da3a17166bc282804b406a6c02c3242acf2bcc4e4d4bd0c415281fb66abb5c875d7df1b806528ec270944152be8c270fe9c645c0b1c03a6d6c48a811d96

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\whh8orAnFnASQJw1BASeXZnhjrI6VQJKSR.exe
      Filesize

      1.2MB

      MD5

      36fd38909d9b5b1e24315ea8fc46a026

      SHA1

      02603496e6ee98f35fac9e2e72bbd06a5f0b89d4

      SHA256

      080de6369b3758907e32f758f4754117e19ff0778b6f87165580cbfc44028cdd

      SHA512

      9fd63555001100a22496e86a5a9b65922631fb52626050fc0c00d294feecc4485cdf7ca80e29da3c7906cc1aca7718c6c670a0f724b917fa840841199dc7bf1a

      Download Submit
    • C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\g7BmpF9M5vF7RCua.exe
      Filesize

      1.5MB

      MD5

      5a2e8061b48d2cef4cd22a0829686c62

      SHA1

      292f4d6c20f98b965915dfb1819ad7d0800982a2

      SHA256

      61fd3ef15b09f5e84b49598883b67b9bdec3d154da36b6f08762d4d7ace63cea

      SHA512

      f68fce7f49530e68831e70e0206c127963f7e75f708d5ea25f6c0369b570831d96ec9fac043bdb13b5e0bc48256bf5d4877b65819ce40eaacc3f3fedde772bca

      Download Submit
    • C:\Users\Default\Favorites\GRLsKq24S2TeKv77E1pDnXy.exe
      Filesize

      3.7MB

      MD5

      2bbbe890dd9efa89737dd7dfae33b50d

      SHA1

      8084fd0ca84a57c1281a7ba85e5a0ea8d59d5b6f

      SHA256

      eca12a9cd81803f6967bb28c473c4a998cc26963fa1e65b7880c53c5db911106

      SHA512

      8dcf5d5608e3dd2bf7fa00fceed059ac50b592f70e978c4590769b45ea846c6eb876d26a624ee3a1ecdd8b3523fb0101f542c436b2ce6b78a11f05985b6573d9

      Download Submit
    • C:\Users\Public\AccountPictures\7TAmUXPYN7Q.exe
      Filesize

      2.2MB

      MD5

      caa48d768cb8c2622c8449a1f67852a2

      SHA1

      5e24c80ab7174580398e381d5d1aa894b26bd1c6

      SHA256

      1ca8fa8fd2eda0ec23e0f7f4b419bed545e5585b8f55de0ab78a61d4cc24049b

      SHA512

      27f15910d9a09a12ec39df9b8714132070a2110fdbb8a121afd66c59e93991b231eef30e98e5751bbaabdcab6ca47b7416891ea0057054f1ff04f5eca995870b

      Download Submit
    • memory/4512-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4512-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4512-147-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4512-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4780-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4780-134-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4780-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4788-148-0x0000000000000000-mapping.dmp
      Download
    • memory/4788-153-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download