Overview

overview

10

Static

static

3a14602e98...69.exe

windows7-x64

10

3a14602e98...69.exe

windows10-2004-x64

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:30

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869.exe

  • Size

    1.9MB

  • MD5

    1c9fcf4701e7b693f447a739036d76b0

  • SHA1

    faf5383ff76452a4cd5d82c9043d32792ac751d3

  • SHA256

    3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869

  • SHA512

    79ac16a21600f9d018b956d379c2c459cacc8514ed5e0ed1acc9762409ab1c0a8e684c4aff95dff8418583479ea4ff2c276fc50ae4e0e8c4983df2eded9fc54f

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:660
      • C:\Users\Public\Desktop\ajBMsNIWeGYaAgFyqzfkKkMZmchSqBOMrw15n.bat
        "C:\Users\Public\Desktop\ajBMsNIWeGYaAgFyqzfkKkMZmchSqBOMrw15n.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3832
    • C:\Users\Admin\AppData\Local\Temp\3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869.exe
      "C:\Users\Admin\AppData\Local\Temp\3a14602e987306e49f3edc6374081b0917fb6187e13e5bebd1a4c1909914c869.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:5060
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39ea855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4756
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Users\Public\Desktop\ajBMsNIWeGYaAgFyqzfkKkMZmchSqBOMrw15n.bat
        "C:\Users\Public\Desktop\ajBMsNIWeGYaAgFyqzfkKkMZmchSqBOMrw15n.bat" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4620

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Search\Data\Applications\fks8vIKmvtC5.exe
      Filesize

      3.3MB

      MD5

      52d6bcd7c49a3c80de6aee0b89d5919b

      SHA1

      f4f03d877d19fe5de860526ddb21e077fc2a915e

      SHA256

      8462d26bf301f34e5cc9caade38e928e103e00056660b62047481fef94036a2b

      SHA512

      cc1791e0067946232626dfb81f7d5bd85cbe19a90709bedd29a536a02c0875e9f8604cf104e1ac1e178a03f14da7b4f5edd50ec5f5f24662a3ef626d3eea6c39

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\ej8rSnvvuKiNFqHr.exe
      Filesize

      2.0MB

      MD5

      20ed027c11462e95c09f37bb1a658f54

      SHA1

      722237af72ec0be6a971b8e45a697849bf0948b8

      SHA256

      5100c7f634de4252a6da69902c484100605d7707443e0f3f9471c97ebb64c9f0

      SHA512

      ff260dbb66a827abd3329f1fed332bdc041270d6572d25926d69d62325a5448152811429b91066bbb177102d6f817275a3dc437ed4f7e3d8d8bc5b3d46acf856

      Download Submit
    • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\drlrgVg4ihghTY89q0fqD5lFT241XgvpbmWh1nyEhX5RndJQITxXw7WmXHZF0ICh.exe
      Filesize

      3.4MB

      MD5

      8c8d55d5fec150c6223a3ffab7666e1d

      SHA1

      1b059785a97028ec7db0e36bfa0a9775e89f0305

      SHA256

      36480372f0b2553c5f501066a77b6e5ed10e195f56a73e3f72030f9d597266d8

      SHA512

      2ae87128482f9761336aed46aaafae5d228b4d5e94b8e3ec0cc1636fb7ecca8e4b38353ef0e2fd8a0f6a5b68608c5ae99f97e04e0492a28e6de7d12dceddc818

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\el\n7iHp8oEVb92nMh7YEl4QO2.exe
      Filesize

      2.9MB

      MD5

      28057a2ba0da5f7ab52e81f7b59bb843

      SHA1

      f35676ba2b3bb72ab9bb6750f80cbdbf16f15275

      SHA256

      1441e0a50cdc8d6dff9aa8da719d6b971367d550a37a13056e9627dd9b7f7591

      SHA512

      b11b13ade9a5aa8b3b2233aa09ef49ea4c4a9f33e3922b7b9ad87929fc34baeaf81f4b5d5b773d594f5b7fc814c8b8ab588825e42aefc133ba3b5d7bdd428211

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012022090120220902\tyla9CzFnUPT37BxV6CqF9scPtXqs7X2oXmA.cmd
      Filesize

      3.0MB

      MD5

      c56d94522237d3e7c91742e4bb0c52e0

      SHA1

      bdd5c6a2afc9091620a37169d1568852d1c7b28c

      SHA256

      59a2490b2f9e4216c10af6154498dd547088e0a1c1f1355c8f4bb28050c1737b

      SHA512

      ac445f8539c5acd307f6b5f02dfe96c00238a05460b4e29cdc37ebae569ca2d8c8d73db32b5e972c0311d217de63569c00d643b775b513b8e1f36de2b08a91a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\5BgJMoiBXLa7C8NPapIopm7xKzxlW1bROVtORwuQB9ElsC4dEhZPcZeyvppMm.exe
      Filesize

      3.6MB

      MD5

      804fc8f054a454b8b544f7cd71a11422

      SHA1

      9bc78a3f3966f3d03145fd49300ac9e43a09c186

      SHA256

      c3fe2a90333693a931c2091c9724cb05afc288e0fdc42c80e8190b36662dabf1

      SHA512

      c0d35366de1aa4c9fd25b2d6384a771a3d76838be5619024651edea53f28154303660da68a60937d05a2e82ea2a530aa1e68797a7efa2cf92c92fbb8f257cbe3

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\gSQuRN5XW64jUaz9R4GaNa1w3keq00K1BdIof7NJUAlKkSYG5NK3oxDf.bat
      Filesize

      3.8MB

      MD5

      10bd03f154e555e485a505ce585ce9b3

      SHA1

      2fb9f0f27181dd78f8b88b75ca3f7210a0c0f6ec

      SHA256

      d7b4924fca0fdb82b3bce4991c1965e926bd82ad4afd70eddf4743a8154dc014

      SHA512

      0e5854d3eb6603f214067e37d902f8085e5dfbc44182f0bb2ea3509b76fb3aa777652c6b33e6c4e2e0b5ea56d6deaed0203baf81c9c744fc634b064c97a5ca6b

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\TokenBroker\Cache\PQjmHJv3KENddKOT4ZizeZaSUFqRs9hmRkaN2J0gQ6NPoeLthNmQtxUj.exe
      Filesize

      3.3MB

      MD5

      81dc37a5abd0bd3d1c37c7d4dab2ef6c

      SHA1

      07b3958a16669dc1840d476ed683934874cd6d15

      SHA256

      a15f58d20408b844c99f540698e4a9055a44d25800f0213c9eed51a98dfead6e

      SHA512

      9283057758b4728c7cd2349ef8e27a055987d2bd4423e31edcdc8fbe95d8bb6a56431c1053ed19d934cb0424fb9294293fc34c02198edd02f2f127c8f778dc5c

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\HqofVco1QizibetD.exe
      Filesize

      2.0MB

      MD5

      600780d09adec6ddeb3c288f09d23349

      SHA1

      b1a893885d3c0ef7e14c18071bdf473d488711f9

      SHA256

      e21426441d52ba28d1834ad70c67af7f0109a5b3b0c51a9508a2b7cfcd5db12a

      SHA512

      7c84ad7a557d8be95a586a95d18abbd09eeae063f6ecd5f8761594bbcb5883555bf7f41ab528a42496134abd1cd83585332f81edbacf7de53bba9a091a258951

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\EebDN3rEqCO6OOdHM2cAt0iLhyJY6Ta9c8Y852GIOEXQ15Yc37BlwY63OHnYkE35cvw5.exe
      Filesize

      3.3MB

      MD5

      55b2f92515527ba33693c2d8144f8863

      SHA1

      248b8525a0194599e0a525ce5d080bad5126fc1b

      SHA256

      0b152211ced1ef5d363b9e7efeb0d5fb88985e9e5b345a0b2aee476fa1d731bd

      SHA512

      7e529dda553e7dd4a2ca6eb4e1609f2f91b441a25558d21a5dea0a0cb2f01df0c269d7a3eacd2005cb9d81287520ad184c5ca91b1c389d32f1d80167c22455a5

      Download Submit
    • C:\Users\Public\Desktop\ajBMsNIWeGYaAgFyqzfkKkMZmchSqBOMrw15n.bat
      Filesize

      2.9MB

      MD5

      726ca7cecc0b64017513634c855b0172

      SHA1

      ed7d88872215c3f779364223fa0442317f1ea371

      SHA256

      75719c23e5b019b50953cd760a1e37cc50c1de23ab4d6c569bbb13c466a9cc5c

      SHA512

      c434aeca65eb0183f10e3882cfdaa01c327f983c32f6976e7562bdce05fe57398e108a8787b71f1b6f8e64d200664e4a16fd697aa7ecb638b97e551d513a30ba

      Download Submit
    • C:\Users\Public\Desktop\ajBMsNIWeGYaAgFyqzfkKkMZmchSqBOMrw15n.bat
      Filesize

      2.9MB

      MD5

      726ca7cecc0b64017513634c855b0172

      SHA1

      ed7d88872215c3f779364223fa0442317f1ea371

      SHA256

      75719c23e5b019b50953cd760a1e37cc50c1de23ab4d6c569bbb13c466a9cc5c

      SHA512

      c434aeca65eb0183f10e3882cfdaa01c327f983c32f6976e7562bdce05fe57398e108a8787b71f1b6f8e64d200664e4a16fd697aa7ecb638b97e551d513a30ba

      Download Submit
    • C:\Users\Public\Desktop\ajBMsNIWeGYaAgFyqzfkKkMZmchSqBOMrw15n.bat
      Filesize

      2.9MB

      MD5

      726ca7cecc0b64017513634c855b0172

      SHA1

      ed7d88872215c3f779364223fa0442317f1ea371

      SHA256

      75719c23e5b019b50953cd760a1e37cc50c1de23ab4d6c569bbb13c466a9cc5c

      SHA512

      c434aeca65eb0183f10e3882cfdaa01c327f983c32f6976e7562bdce05fe57398e108a8787b71f1b6f8e64d200664e4a16fd697aa7ecb638b97e551d513a30ba

      Download Submit
    • memory/3832-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3832-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4620-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4620-137-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4620-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4620-134-0x0000000000000000-mapping.dmp
      Download
    • memory/5060-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5060-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download