Overview

overview

10

Static

static

3a14602e98...69.exe

windows7-x64

10

3a14602e98...69.exe

windows10-2004-x64

Analysis

  • max time kernel
    144s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869.exe

  • Size

    1.9MB

  • MD5

    1c9fcf4701e7b693f447a739036d76b0

  • SHA1

    faf5383ff76452a4cd5d82c9043d32792ac751d3

  • SHA256

    3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869

  • SHA512

    79ac16a21600f9d018b956d379c2c459cacc8514ed5e0ed1acc9762409ab1c0a8e684c4aff95dff8418583479ea4ff2c276fc50ae4e0e8c4983df2eded9fc54f

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 59 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:596
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
        "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
    • C:\Users\Admin\AppData\Local\Temp\3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869.exe
      "C:\Users\Admin\AppData\Local\Temp\3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1272
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x53c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1068
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:324
          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
            "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1476

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Adobe\Updater6\xTwoPfz6lOe8zzWSAjwiWjxlh.exe
          Filesize

          2.7MB

          MD5

          0e9297366ccdf9e78755576026d33bf1

          SHA1

          939dd206f6962bc7c2efd68b3dc22af0c43adb7b

          SHA256

          7686c91c51295120b47a9e90c553a8c6131fb6646d00a6042de267244ebccf7d

          SHA512

          0da42b641ceda3ae061a586ead12e3505fdadd3df7825762f7af08874f4525360c1ad060926af7af264e4bd8d4313957b2eaa2e1877445b8ec95b543a37d18ba

          Download Submit
        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\jyytHCVwk99twfuHCTzG6gCMdHL8hxBrj0dYpNqMBgMHgpTQsA1TVJ6mNbosj73vLmcil0.exe
          Filesize

          2.8MB

          MD5

          21f7a428a68be335a5aa630452a9fa19

          SHA1

          f7a47c400ac1da2a908cd43ffd8b90924287b3aa

          SHA256

          9c4849712e8cfc32629044e78dd94dc69d2eed04cd8ad34a39ba69ee83ac5eda

          SHA512

          f510387e0160eb92b3a8facbb1066d397bb495c6b846f73b0e5fe9bdc976132cbd623332e8bf908dd9ecdf1d2688cefa067530dcc84a98977de698e80e84d1fc

          Download Submit
        • C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\es-ES\rRXP7xyJG70edXTrGzplDRLTEa5YUHMlJrGU6DNhX.exe
          Filesize

          2.0MB

          MD5

          55d99c643522814a81ba43e0124d8b7b

          SHA1

          cc948d8a462afe4577b7812f80d5b7d5730e5f37

          SHA256

          414bde2f891db4c6c8904cc2aa8780118d98386f788d7838a1d519b95048c02d

          SHA512

          20936394bdc72811de6c5ac0f08b2aaecad59440b37f350ea44031cb980735d383f7d611da111c0fd945069bbf2925aa9e830916df8118191a1ea50d7735f17d

          Download Submit
        • C:\ProgramData\Microsoft\Windows\Ringtones\PEsu5iFJezxp3qb3Blan6tK0TkPrWX.exe
          Filesize

          3.0MB

          MD5

          b83d6c686d6301ef41aca4bef761e7ff

          SHA1

          11c05d8ad1744f6b416f1c969d3eafc2ed96a721

          SHA256

          b5978d04bbd0222d0af2f0686ee1d9bc16ab621d74edd73a4d16f8de82580dcc

          SHA512

          260ca550753b4bfc1a79f42de8f753a1675fc21748e12733e2d9441e0547597dd4c2b813f5363ec70975af07b0b83e8a24a8fc2fe689657adc75384c91211bab

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\RHzafWgpzE0kKCULbE7NaWKtTweMiZiq0qQfTGW.bat
          Filesize

          3.0MB

          MD5

          5dd4ae562411bbea24d5cd5f0df7e435

          SHA1

          b079d5fd5d350b44871f5a8c800fe9d7001e3ed2

          SHA256

          cb39430f7391923e0d5ccb531b05ba1856ea785bee0ac87e7d3e0a82507b6021

          SHA512

          5c9136def4c391ffc00a7af36f33c378f81e83ccb8f8f16de2d0b0af1e540e74f3746d13ad333537e2baf85c19aa95e3b5842410debee01da0b557ebd7a3f5d5

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
          Filesize

          2.9MB

          MD5

          3538750e63d710629df889be9401bfa3

          SHA1

          36e3e985f73abd74c1517b30686f23fda6a67075

          SHA256

          6efec60cf87fa33ef423b55425c01b1262456fd7e84b004058d795d5b789a696

          SHA512

          66af2f3635a2236274a08a0f451c9db787854bd5980daa63485249289d4ff58322254813a549f42a72a5903703d693384af923fa59058d00e8a18d0bc06f5bb5

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
          Filesize

          2.9MB

          MD5

          3538750e63d710629df889be9401bfa3

          SHA1

          36e3e985f73abd74c1517b30686f23fda6a67075

          SHA256

          6efec60cf87fa33ef423b55425c01b1262456fd7e84b004058d795d5b789a696

          SHA512

          66af2f3635a2236274a08a0f451c9db787854bd5980daa63485249289d4ff58322254813a549f42a72a5903703d693384af923fa59058d00e8a18d0bc06f5bb5

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
          Filesize

          2.9MB

          MD5

          3538750e63d710629df889be9401bfa3

          SHA1

          36e3e985f73abd74c1517b30686f23fda6a67075

          SHA256

          6efec60cf87fa33ef423b55425c01b1262456fd7e84b004058d795d5b789a696

          SHA512

          66af2f3635a2236274a08a0f451c9db787854bd5980daa63485249289d4ff58322254813a549f42a72a5903703d693384af923fa59058d00e8a18d0bc06f5bb5

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FoapBfIDuDy7c3Zu9QDFVSCZrQEJFePX7uYPOKJqmA4irNbr.exe
          Filesize

          3.0MB

          MD5

          9d8a8b405578608b8865c5e2407efe72

          SHA1

          99c88345da5dd80b0a6ec9db8bc70f32a758ac21

          SHA256

          acb01cadfe31bbee656705f1be528c7873c8ebdbd9476bbee227a927bccd79bd

          SHA512

          d51b8552d65f797e2bf27aa438b7633d974dfe26fe20f9a35508e5500b8d24d02a47e81dc86b919238648df70830e1e1bd0c9cc87fd3fb80ac65a63dd456905f

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\PlayReady\s41DVePX85LBpxlpk9n4KzxbnKbvdZyfLzA30d02FnSysuh8u1VXnnRreZU.cmd
          Filesize

          4.5MB

          MD5

          593ede99e376d9a7f9af9ecd12f703fc

          SHA1

          7c85e04cf5d19e7410dc6e7f366c4c836ed248f6

          SHA256

          7629e52ff4d8ac6bc6eb21b2cccc95f4a5d3945628d0f09b81264a5db4cdf933

          SHA512

          70cff90c7e23ff699388457675cb894f0577c86eebeb4ff2377daca4dfb287adbad38182fa951974d69ff8a18e3d0943e9ea9b34b36df4d56f4a72a3cf4e441c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\Pdx8jonKNFD6SaYz8WPwq1vJTJVhtN9nwwRZle8WF2umepGuBcGD6zl8wXURlMIHgarsJpS.exe
          Filesize

          3.7MB

          MD5

          defe5d4629d957ae97b3c3e47b402abb

          SHA1

          96de3d306028505c8effecabd92e4d6f214480b0

          SHA256

          fe679ebb31e950f16f0ff5a9d71f26b1820473b0bde0f0bb4294eb6185e83d17

          SHA512

          c34eb27af8e70720bbdb86ae8da160a7243df9aa27122833ef4a7d7dc721c142ce5921cef5229103ca5f580f2e7f72da68f13959f2e88f94baa2cd57708e1ea3

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Identities\ZYGuL5ahehbez2WpLJzRNd8uPpQMRe7r31hk22ZVH03SxJ.exe
          Filesize

          2.4MB

          MD5

          e2dbdda241333e8e4074bb4dabbd3ba3

          SHA1

          fb6987eaea2e24b39accf14595ab5fdc809db40e

          SHA256

          7d64b2b63ed596c655124a8937a47db03cb13c1d501c5c4f65b29d14107ba9aa

          SHA512

          fcc09c42cf0c2a440a4ebf3dba3d2b25b3e0071050ed17b4bfa7559dc7f770c43a80943116031dd2395cb839489a6953d4f0a0527e8db2fc447227c7d9eecdb7

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\YaExgDfunc.exe
          Filesize

          2.3MB

          MD5

          663c112de2b4d63772b7e480a05d6f31

          SHA1

          ed59e54c9f29b200715dc98c2ece83bbc884f5af

          SHA256

          1f590c1cf87dbeb5a935935edf870898413e7320eca1a564e277760fc0b58a72

          SHA512

          cca846d7defe4408787df8bfbc445d11c0fe328f0f74c2e7e09a119eef1e1ffaa872e563f7b1ad9b6b893e4117a9f8b63c946560fce60b038fae0ce94284884d

          Download Submit
        • \Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
          Filesize

          2.9MB

          MD5

          3538750e63d710629df889be9401bfa3

          SHA1

          36e3e985f73abd74c1517b30686f23fda6a67075

          SHA256

          6efec60cf87fa33ef423b55425c01b1262456fd7e84b004058d795d5b789a696

          SHA512

          66af2f3635a2236274a08a0f451c9db787854bd5980daa63485249289d4ff58322254813a549f42a72a5903703d693384af923fa59058d00e8a18d0bc06f5bb5

          Download Submit
        • \Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
          Filesize

          2.9MB

          MD5

          3538750e63d710629df889be9401bfa3

          SHA1

          36e3e985f73abd74c1517b30686f23fda6a67075

          SHA256

          6efec60cf87fa33ef423b55425c01b1262456fd7e84b004058d795d5b789a696

          SHA512

          66af2f3635a2236274a08a0f451c9db787854bd5980daa63485249289d4ff58322254813a549f42a72a5903703d693384af923fa59058d00e8a18d0bc06f5bb5

          Download Submit
        • \Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\5ecd537a-725e-4365-9320-993317592ce3\rIJdHKq517Mj1NBuKx8AiWaaTH0wRwcgbd05nP7MvJt53Z3Sb5H.exe
          Filesize

          2.9MB

          MD5

          3538750e63d710629df889be9401bfa3

          SHA1

          36e3e985f73abd74c1517b30686f23fda6a67075

          SHA256

          6efec60cf87fa33ef423b55425c01b1262456fd7e84b004058d795d5b789a696

          SHA512

          66af2f3635a2236274a08a0f451c9db787854bd5980daa63485249289d4ff58322254813a549f42a72a5903703d693384af923fa59058d00e8a18d0bc06f5bb5

          Download Submit
        • memory/324-63-0x0000000000E20000-0x0000000000E4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/324-64-0x0000000000E20000-0x0000000000E4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/324-76-0x0000000000E20000-0x0000000000E4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/324-77-0x0000000000E20000-0x0000000000E4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1272-55-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1476-72-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1476-78-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1476-82-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1476-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1696-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1696-85-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/2016-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/2016-56-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download