Overview

overview

8

Static

static

d46464f731...6d.exe

windows7-x64

8

d46464f731...6d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    182s
  • max time network
    224s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe

  • Size

    619KB

  • MD5

    1f61487ea788c82aaaf84f58459275e3

  • SHA1

    651f788ada298e9d87bcd044325465af0f6ccc0e

  • SHA256

    d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d

  • SHA512

    848b0c99fe14e7968c8b7724d31412c1303690b69bb93b8036cf72ebfd9b65ef9b19ee7f61640295fd8b4b77dedda81f67c57c0b032d501e2eb220901428ecbf

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe
    "C:\Users\Admin\AppData\Local\Temp\d46464f731ac4599b9a99da04648ff627b8938c26c455fe2943ca3384dfc616d.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3712
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39e7855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3736
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\h8MzYicWOgrgDSYOP9BFlvgo5rt2EkOddCFYOlpWqyi1FfVUxZVcRAaO5WhwSc3U.exe
      "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\h8MzYicWOgrgDSYOP9BFlvgo5rt2EkOddCFYOlpWqyi1FfVUxZVcRAaO5WhwSc3U.exe" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\tOe3kOzyzFDkgSYkbqtiRguAKuwdJAqDpVqdTwj9ssopFn94TFhowTxF0n39EtEYm5.exe
    Filesize

    691KB

    MD5

    b59f5b3b7763fe77ba73c97218e2e577

    SHA1

    a92a7917423f13b2e78f43c3e150047f782634f9

    SHA256

    4de7e244d48cad3d24ed90e265329f3707c9bf0f49ff623abafb619361832064

    SHA512

    736c223db41b82811fedd18c3be54b929bafe6c84a0e24eb775090d976104662403ef910953cf6d8b0a9ad4d0be4a6adcd74443f5c8376bb4eeaaaa99d4680fe

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\AQZuvLK7mWTXMuadbrIhx9c3A2pZtTHhHhNaoidPUA76y6L7vcELu.exe
    Filesize

    837KB

    MD5

    9e268633a74781961f1e9fd77547d529

    SHA1

    ab1e547584aa8cda0af93d89670c83b68a9d0f0a

    SHA256

    1428ce638f59af3826bcd2771a1d196f587b41abb66e1319cae22cd854d669df

    SHA512

    6ac92f1df67d4fb1ea259447e1d644abc2858df3d6cccbb5fb49dec3b4b347df60b3cc792195cd257746e330576ced43ea1f0ead9538c240e0c586250768d50f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\h8MzYicWOgrgDSYOP9BFlvgo5rt2EkOddCFYOlpWqyi1FfVUxZVcRAaO5WhwSc3U.exe
    Filesize

    969KB

    MD5

    f593f8376aecaaf8372b8a4edb7c8211

    SHA1

    5fc458f96e1c3c1039de095b69b057a941314c2f

    SHA256

    51142e9b6e6b05dbe6221c618d87b448cda475d5b7362461dd95c976b22f8725

    SHA512

    287a5138675b6f922d5edabc744cadcbaad7d9684b0ac104157c1344c637f91deac59faaba9b760eaf15aada1781d5cd46c8dbb7445eb80af06579edaaaa2a33

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\h8MzYicWOgrgDSYOP9BFlvgo5rt2EkOddCFYOlpWqyi1FfVUxZVcRAaO5WhwSc3U.exe
    Filesize

    969KB

    MD5

    f593f8376aecaaf8372b8a4edb7c8211

    SHA1

    5fc458f96e1c3c1039de095b69b057a941314c2f

    SHA256

    51142e9b6e6b05dbe6221c618d87b448cda475d5b7362461dd95c976b22f8725

    SHA512

    287a5138675b6f922d5edabc744cadcbaad7d9684b0ac104157c1344c637f91deac59faaba9b760eaf15aada1781d5cd46c8dbb7445eb80af06579edaaaa2a33

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sq\eZLdq53N0gtZXFa7CVdV8vXbqSwPnAqQ4BbuoRT4Oi1l4kyltd73fHPggsvLbxXOzQrqy9.exe
    Filesize

    965KB

    MD5

    33d20674fa54803ff6116559f27b8ff6

    SHA1

    8781cbea5eac017ab400f1a6bc803302fb2ee30e

    SHA256

    fbdc207fc6ea0cf118c5b974921913927da44a3daa4ca9dc5232279c57051773

    SHA512

    2b1a7508ae4c165d21ee7274dced03ef2c390c032a7bbdfa5a755c91bf3dadd68036e05263a4c5690a19711efb8395feb4bc06693f525bd6006fc9ee8f0bdce3

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AC\INetHistory\Kiakq6UXZBegLgTDSs0pTAHosOb4zysM3P2G0uN1BkYzM8.exe
    Filesize

    947KB

    MD5

    078662b8f1714a012264d21d6d71ad18

    SHA1

    a89fba89c9ac6529257bda1ecae7a16cda6e958b

    SHA256

    1b7c5de5ae0eafe73b4a83260aad7b82ce1ea67a1444165d7ef35ce0082c60d0

    SHA512

    ce5c87e577dae712dea80a5036ec6482cd42999f21cfc093a119ce378d2a585f32b6f17ade569cbae690ec4feeec02a03a4ed38662eb6cddbf98e6f210ed39b7

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\LocalState\QNIdBMj2sbWogvq.exe
    Filesize

    710KB

    MD5

    40ecf2189d8527b0a7d64900c18eb3da

    SHA1

    b3987da2fb237e026a3236e37005514f62ef7252

    SHA256

    b338546a7b2311f12f0f669a87a78bb6ef593072b54dfdace51a7182e446b008

    SHA512

    77687611d15f38708759f1b8cf738398a49e40c41b65650eebd988d4066e8bd249536bf875c6c7153c908136fcaa75a610b37cab559f64095df8d1af42f31eb1

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\INetHistory\7XavigvAOoof44Eq9Z1mgudpKoAcyyoN98qaQRt6o1GarYrdtLEWQ9ORd0vgDV9BOOxf.exe
    Filesize

    803KB

    MD5

    23f0b457da0fe7c69d58cb9790ef635e

    SHA1

    49c1b6ee0853b9a459e7607be720ffb5b06be8f5

    SHA256

    547f57e97e29591c0c83ce0042ff8cf77593d4dd05f11ded7220c32646303718

    SHA512

    74d2835294d753853d4453ea5fb6864f0a7cd6c0e0569d9459568600a393b1781142ffef8d6d4a15dcbda1be50400f50f0b382792a960a460cdbeaaed7770757

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\q0I19XwRKvfRqKNzwEM.exe
    Filesize

    1.2MB

    MD5

    42cbfb9e2f2a6aadc79cc0ed63e61704

    SHA1

    dcf7e3a912cf413832adb7ebba261ada6ab33aed

    SHA256

    42d249c0cfe9a9ad41bd865f3ba02b36b05b872a994019349bae64cd5b4364ec

    SHA512

    934c1595ec8f95b36da9185035d6d5015a20704eddda88f2237c5cdb6d2a2d6e38c7c3970b54fd26722427e128c55c850f7c05dfe6844c986ecc696c7ffb8d59

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\6ZgxsJi7qCKKSN0z2y7AoN4rAnmTJK484whk6iUXmc0BzCLf0ScSW2qr216I0anuCaTs6Vs.exe
    Filesize

    764KB

    MD5

    4fc8cf842bfc30ea20a3048c221903fc

    SHA1

    3a89abf4486bca44b62eda952096049aaad36aaa

    SHA256

    9954097cb7e3dac6786a1316dec46346674539f13c3dde7ca16efc692907d344

    SHA512

    873c2ba6a1920bc0fa8a8fb1a2d0d1ab9c35316f8f4ea2248d948025236196dbafcc9038d2ee9d5216b512dcaacc0efd8eb447791ed581a4e2344d12ca7c671f

    Download Submit
  • memory/3464-137-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3464-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3464-146-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3712-132-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3712-133-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download