Overview

overview

8

Static

static

19c47ff5ff...bf.exe

windows7-x64

8

19c47ff5ff...bf.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    165s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19c47ff5ff4cdf1e6f3bd11a04c373fa9208646cf96809048daa88d68c9f31bf.exe

  • Size

    1.5MB

  • MD5

    4aa3597334eb887f0e8be6fada94749b

  • SHA1

    6545fc5fefd0da46c07b7907daf6e69072fc34ea

  • SHA256

    19c47ff5ff4cdf1e6f3bd11a04c373fa9208646cf96809048daa88d68c9f31bf

  • SHA512

    6df6cd2bf30612864043203d6158113639b8e5c237a32082dfc6b9cdbf4848ad4484c9237424a0ba963590fffe1d04619e5eb4cda743a0daf5a5fdd6782158dc

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 58 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19c47ff5ff4cdf1e6f3bd11a04c373fa9208646cf96809048daa88d68c9f31bf.exe
    "C:\Users\Admin\AppData\Local\Temp\19c47ff5ff4cdf1e6f3bd11a04c373fa9208646cf96809048daa88d68c9f31bf.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1808
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:268
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2ec
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1332
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:432
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /Shutdown
        1⤵
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1232
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\qOn5LAZMfhCIGS8PP9AKL6g8djDAqUgt8i3WgU2ILcxpZ7G7EjwmB0C.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\qOn5LAZMfhCIGS8PP9AKL6g8djDAqUgt8i3WgU2ILcxpZ7G7EjwmB0C.exe" 1
          2⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Sets file execution options in registry
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:972

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\DRM\nt8jcqZiPWQwDEUu9zLECfhEnJCB8C2opz4EQiJTvB7.exe
        Filesize

        2.1MB

        MD5

        a2a82ac6271eb74eebd98be95d55c262

        SHA1

        8aff38e01d2a43d78ff07829b76a3f31154e6039

        SHA256

        44ceb5c18c51242157269c63ff50218ecd85170afecb4a306bf29a456593bcbe

        SHA512

        cacd7beb0eea76423e7d87cd0d621dfcbb8b6001eb7eb78ba976fff93acc3d0dcfb8fea24dfbadd22b5578ddbceab717422e1ca202d811f216c9a539eb0ad664

        Download Submit
      • C:\ProgramData\Microsoft\MF\RZUu3Gis5byfZhrAj9BhoK9fS6GIALkdB9osWZWaEaXSqx1T8EebAJvZfLR5sCt.exe
        Filesize

        2.6MB

        MD5

        4684080cf97f5cdcb022ce2e72e5f545

        SHA1

        dfcf8b625956fe17bab108b4d98b4316bcf24881

        SHA256

        9f583948e2fdc45308da87edb49a54bc64e41ca345d2a30f45dcfbbd095599b8

        SHA512

        02daa2e477539f19816057bd6c45402c79fc6ccb420be486f02ab9fe28dffaddab2766dede10deb024a1690174ae96544188d8a4c65f903c2b908fffbaf0ac9b

        Download Submit
      • C:\ProgramData\Microsoft\Media Player\vEAcJSTXfWVItEg.exe
        Filesize

        2.3MB

        MD5

        c5b169e5b6922409b6e086736857583d

        SHA1

        ea3a5d7d98b4382b35bea017b1de24620857eed8

        SHA256

        5c5fc2bf7e094c737342bff6b4e8a543cea254c45034e8d9df236f5ad130e923

        SHA512

        67ebdf7c1b4c5afb8f5a5d77a9597f37dda1010830663b3d0616b196fa9564dd1dfec8bad3593a8af87548f1c9f4f2972bccb406eccc3a8d53867ba5946e9d9a

        Download Submit
      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\nYwTRFFgb.exe
        Filesize

        2.8MB

        MD5

        088cecefe27c21cee76705047ae1f6c5

        SHA1

        e9d340ae132a0b956e096fe6326bafa5858606a0

        SHA256

        25b8d77a291c30c23564f6f3757a37b8d45e23594649c3b152ae712bf64b50a4

        SHA512

        6f37603139862ba98d4d9993ed9158dc3759dd3ce95d70be59d39f3761dac9f3b004dc5bb2b6395d9b316afb30f6c0c614beb2ac3fe3adea276770068c1c871a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\hz60KDqZpwGXI67NeQYxkRseE8O7l9lUX1FASSrqRaxZ5B80s4HXsAeWWkgA7vkp6iris8.exe
        Filesize

        2.6MB

        MD5

        573e48be061ad802365191174253d164

        SHA1

        6e3d1bc17ff241a0833665a19df837834a0b0768

        SHA256

        82d7226d2240dfef9296b9bbe5fa710394d981f1d7781950f303817084f48138

        SHA512

        dd091c356d0af8f0f144e2fbc5e40b69accd83f122b4273ca49b7f954dd3fdcaaf932ac5e43d4ab4ecfcb9d0f301c528ce1d05ae768e85de846a54263dd8c35f

        Download Submit
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\hyphen-data\VaDTImDJKY85IqANuBmiy82uLaspS8yE0HJWh5npSneG7jKpMaTmfKYsu6hzzRsJg2iLAK.exe
        Filesize

        2.4MB

        MD5

        38f1b019b08d80dff1ed5210b8ce101e

        SHA1

        f7fc0acc7f69aa5353e0a57542b4b46500552719

        SHA256

        518539f9b5ae23968f5e33444cd54a1a315eb4428a2dc8edcb46fafbeb57c14c

        SHA512

        f7b23972f00904971626a65956394ba3fb367cd16cb80d9ee9b89488354d1262c5305116392423ec32d920fe36ab34809bb200236b5f5291a6f556a8ead6c4c1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\WgsuVDU1CKu.exe
        Filesize

        2.7MB

        MD5

        e29d9694ad032900d2df7d084491c66e

        SHA1

        0f9dfcf73c5a5ccc83c6a54eeccaba71ec52a1f7

        SHA256

        58400342a3e2db0fdccf16e5a522895b238596d7e1fec85911450a5230e0485c

        SHA512

        c6b49f7e16eaf033d39f316d2a61bef192ca7c871988a86eccb43e587bfc2a2653f633df942ef9eb3c8d8e38bc9043ca7d3751acc3e6eacb8bf19ea909b1cda9

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\qOn5LAZMfhCIGS8PP9AKL6g8djDAqUgt8i3WgU2ILcxpZ7G7EjwmB0C.exe
        Filesize

        3.1MB

        MD5

        9578bda4421ca8a20c0844e216738167

        SHA1

        539c498e8a423232605a115960c97954c996e3dc

        SHA256

        4e3a10a4a2da91adbe8bf6e4a61f6f1f348ad6fe147768f5722dab9a9d063696

        SHA512

        9ee2bd662cc5aad1a4ebadcf68a22cd8713e6e9a118128fd63f7b12ab2fa1088056d7316d765da34d685da1a2c7be5e311b1def2c1e65ad371b47adca94bc9ef

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\qOn5LAZMfhCIGS8PP9AKL6g8djDAqUgt8i3WgU2ILcxpZ7G7EjwmB0C.exe
        Filesize

        3.1MB

        MD5

        9578bda4421ca8a20c0844e216738167

        SHA1

        539c498e8a423232605a115960c97954c996e3dc

        SHA256

        4e3a10a4a2da91adbe8bf6e4a61f6f1f348ad6fe147768f5722dab9a9d063696

        SHA512

        9ee2bd662cc5aad1a4ebadcf68a22cd8713e6e9a118128fd63f7b12ab2fa1088056d7316d765da34d685da1a2c7be5e311b1def2c1e65ad371b47adca94bc9ef

        Download Submit
      • C:\Users\Admin\Desktop\GTUxjelDizlquDSrKLVboOnc6mL1uBJkHRPtjCJLZdcmti97Dudor1CWS2wPCkdxasfC6z.exe
        Filesize

        2.3MB

        MD5

        0287e86cf91466e0c2ea95c09d2a3b4a

        SHA1

        4e368ff28a1a86096fb2b12b8afabce81b247cb1

        SHA256

        c9421a54faad55194b895915fe88cdaa9c0cf2a50e35a583c51875825afcbdf6

        SHA512

        df190eff259ffb5176653e6e5eea069c35bc223ddfb174837d0bf7d1c7f74cd68fa2124a98edd7eca99d07c949a544bbf00b9da3452f91deab535bd740c1a94c

        Download Submit
      • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\qOn5LAZMfhCIGS8PP9AKL6g8djDAqUgt8i3WgU2ILcxpZ7G7EjwmB0C.exe
        Filesize

        3.1MB

        MD5

        9578bda4421ca8a20c0844e216738167

        SHA1

        539c498e8a423232605a115960c97954c996e3dc

        SHA256

        4e3a10a4a2da91adbe8bf6e4a61f6f1f348ad6fe147768f5722dab9a9d063696

        SHA512

        9ee2bd662cc5aad1a4ebadcf68a22cd8713e6e9a118128fd63f7b12ab2fa1088056d7316d765da34d685da1a2c7be5e311b1def2c1e65ad371b47adca94bc9ef

        Download Submit
      • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\qOn5LAZMfhCIGS8PP9AKL6g8djDAqUgt8i3WgU2ILcxpZ7G7EjwmB0C.exe
        Filesize

        3.1MB

        MD5

        9578bda4421ca8a20c0844e216738167

        SHA1

        539c498e8a423232605a115960c97954c996e3dc

        SHA256

        4e3a10a4a2da91adbe8bf6e4a61f6f1f348ad6fe147768f5722dab9a9d063696

        SHA512

        9ee2bd662cc5aad1a4ebadcf68a22cd8713e6e9a118128fd63f7b12ab2fa1088056d7316d765da34d685da1a2c7be5e311b1def2c1e65ad371b47adca94bc9ef

        Download Submit
      • memory/268-56-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/972-63-0x0000000000000000-mapping.dmp
        Download
      • memory/972-67-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/972-79-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1232-66-0x0000000000EC0000-0x0000000000EED000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1232-65-0x0000000000EC0000-0x0000000000EED000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1232-77-0x0000000000EC0000-0x0000000000EED000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1232-78-0x0000000000EC0000-0x0000000000EED000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1808-54-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1808-57-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1808-55-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download