Overview

overview

10

Static

static

b760f5385b...42.exe

windows7-x64

10

b760f5385b...42.exe

windows10-2004-x64

Analysis

  • max time kernel
    32s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:32

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe

  • Size

    452KB

  • MD5

    df92baa5776224b51b9720c65fe51af3

  • SHA1

    c5a4caea6e99064497683feb0f88749b0a93b933

  • SHA256

    b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942

  • SHA512

    85d00d9e41d8c29b6c3697cbfabca09d2b1099a85cf76cc042a18d6db2ee01a1e6d8eae42b1e4f70403174ff1d8c35fc40413b6c16a04e5639365cefb929e860

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\ProgramData\Microsoft\EdgeUpdate\6ahI7K8Me5ZSeAFXn.exe
        "C:\ProgramData\Microsoft\EdgeUpdate\6ahI7K8Me5ZSeAFXn.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:808
    • C:\Users\Admin\AppData\Local\Temp\b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe
      "C:\Users\Admin\AppData\Local\Temp\b760f5385bd4c51febb6fae596de0130d7e785bdb0accbe258cf918792c40942.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39f5855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4828
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\ProgramData\Microsoft\EdgeUpdate\6ahI7K8Me5ZSeAFXn.exe
        "C:\ProgramData\Microsoft\EdgeUpdate\6ahI7K8Me5ZSeAFXn.exe" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2140

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\EdgeUpdate\6ahI7K8Me5ZSeAFXn.exe
      Filesize

      795KB

      MD5

      1b09169c4a40753068bf365d5920852a

      SHA1

      4f5264c0346527463537eda519c80f213f264e80

      SHA256

      b85d7a76a5c353ccba32bd21c303f726cfa823e928d6ba4be4769a57097b199d

      SHA512

      39d639e1b1f5844d4b87611690dcd36bacd5cf251a6f559c3a32f473f795df78b5c3fd5a41de09f5c5441cef36987927fa376b7d8775cd2f8e804dcddab667d6

      Download Submit
    • C:\ProgramData\Microsoft\EdgeUpdate\6ahI7K8Me5ZSeAFXn.exe
      Filesize

      795KB

      MD5

      1b09169c4a40753068bf365d5920852a

      SHA1

      4f5264c0346527463537eda519c80f213f264e80

      SHA256

      b85d7a76a5c353ccba32bd21c303f726cfa823e928d6ba4be4769a57097b199d

      SHA512

      39d639e1b1f5844d4b87611690dcd36bacd5cf251a6f559c3a32f473f795df78b5c3fd5a41de09f5c5441cef36987927fa376b7d8775cd2f8e804dcddab667d6

      Download Submit
    • C:\ProgramData\Microsoft\EdgeUpdate\6ahI7K8Me5ZSeAFXn.exe
      Filesize

      795KB

      MD5

      1b09169c4a40753068bf365d5920852a

      SHA1

      4f5264c0346527463537eda519c80f213f264e80

      SHA256

      b85d7a76a5c353ccba32bd21c303f726cfa823e928d6ba4be4769a57097b199d

      SHA512

      39d639e1b1f5844d4b87611690dcd36bacd5cf251a6f559c3a32f473f795df78b5c3fd5a41de09f5c5441cef36987927fa376b7d8775cd2f8e804dcddab667d6

      Download Submit
    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\DHoNFIpOUV8Zo.exe
      Filesize

      671KB

      MD5

      c6a17ee75a05062c66aadbe5abb83ee2

      SHA1

      75bf0c8dc2ea0742fd367f3309192e8699d09e02

      SHA256

      5f7edfa05aa2b293b364d350c20d17b42014f11590669b453263902c9e1c3a0d

      SHA512

      ba41892093c15ecbc9ff768a2b4c214ffe9cc9144b27ffb16e104aee8b6f28d366da54d95adcc02cdc2d5ab6d404f84d14598f32b9c6b245a20da327313a0a07

      Download Submit
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\yLmGWxFn5bA3u0j3GS9uCA6AVEUFGoIuJc8OfVrkwiJzd98P1fo57hfIIBrFR87hObT.exe
      Filesize

      749KB

      MD5

      662cf0419dc588643954c265245d29df

      SHA1

      03c4acacd09b65e2570564a6b768aba29e1b8bd2

      SHA256

      8f42025de2490fa2cf0984a93d6605136b253c8390fcba0b1b4af983c2c2c13d

      SHA512

      38cc9deb5bb845720ece5a9927a30a4a2ad6435ea9271e31bf57bf542ad7572bc4ea8805ea461f504358014f883596a13470ecabf0229252a8e463522c13514e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\Styles\Flat\shO1NjTRBsXITFe1.exe
      Filesize

      834KB

      MD5

      621f1a15816d7cdcb1884b9c767d0565

      SHA1

      c12f47e5a303acf823b30713f05b8c754e7b8156

      SHA256

      d179778d7a03c42e45bc386ad0cd851c38415f702846e2ff70e92b068bea28ff

      SHA512

      b95a8b1e114aba489a140c437a1bf67f2b865e12d40afdee8e3ea8dde224ed30618b6796d779d804bbf825405613afe16c174e0f61f4f59fffa35a8f27ef59a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\IaXH8zUtSRFgKH2W8XwAp9NxOzo4wjUvXXe2aXDN1G.exe
      Filesize

      512KB

      MD5

      4efa81af4bc151008c36f0e733230fd6

      SHA1

      d05f78796d660e19138ad0bbf9c67efca1b69daa

      SHA256

      0d7360cf1a960275982992b0384b13b7c80c6e986d2d644671d2b722f918e139

      SHA512

      2e11a057f98b2828a8367d815844ac27e18dfaeec3c309f38932dd41b25059a254d442a8218a71d107e48b1bd9a79414b9b495f941baa03b4e00f5138d56e6f2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\q976LzePLsbVGlerYkZ45K6VKV2SJ1ICw.bat
      Filesize

      1.0MB

      MD5

      919f9cc96bcc7706087adc886341518b

      SHA1

      f63279980152d59263ad1d3aa6576273eeef20c5

      SHA256

      0de7322634901ed800c93298f70c6da65d11f447fc249dbf76916bd23286b3f9

      SHA512

      1792799e79ec2236ea517e0da07446b85a2351049691611a02da500950719cc053c1008a5074927f508158580adc2e958da64d2bbfcf0d27a02c3cfa520cef06

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\LocalState\NxHlOVGeH5Wxl28Y6cphBd4vr44jwWORvLzXT5U632cS2.cmd
      Filesize

      1.5MB

      MD5

      50ae657215806ad4dcddaa92316fbdbf

      SHA1

      29e5b79b17769e070e773e5572a8b1f862471662

      SHA256

      acea3748165658b6631d15cc2c82c5ea0556897d90a302283bb35f691776e447

      SHA512

      5331b9e080f61eda50edbf2fc288c52d74e9194f54a382029aac1c67a2f44b68beb809c9b7ad6da6322dafc2e521739c4613104946c96b8eacc9c6abd0877759

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\O2zuQ3dgce9Egw9pw1rtvymAYdiqmQRxabg5F3Dx5bQGhd3.exe
      Filesize

      896KB

      MD5

      f9e5eb2cbcf15936e2d8665e032c9ad4

      SHA1

      a7acff52b1a8c951ece5f1eea5f040419531749f

      SHA256

      f5c74f845d19deb7c28af319a48e21451f9f88ef06d8228719b3d8833c13b45d

      SHA512

      56d4ace1d8ff8ce76da8f7055a58af84216223dfb1b88a8a08a0b9f81c986385958b3f0a0b8761c4e873e15a54b4c13c5455ae3597d5014012694588953681d9

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\vvz76cEwvk4pP0pNutjC7HokLKYcBp.exe
      Filesize

      663KB

      MD5

      6dac3eea69236d020b8a0f42cc84ad8d

      SHA1

      f4be6856c8f61d395febdedcc621e67012f43a7e

      SHA256

      e8c8baf34c33977712fb1982f14d9d9c6f0201cc64726fd7bd949e86d38e69cf

      SHA512

      e761ee41cdaca015cd2e6cfc3d846775ca305dcb85f5aad1f28332afa6be308f29f3a0f467164d41eafc2b0fd5f21f5a1defd9f964c869826d8944a6c6e4ef44

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\INetCache\XuPjgpqnTlvyZju3l2Te0yPgbs1aozC3Udxy6ExaOF9GzZpwSR2nQnoLvGBaHqn.exe
      Filesize

      586KB

      MD5

      5ac1d572756331bbcce6ee133a5a5f33

      SHA1

      ccc75e8fb27fec2adf1d63377b84f14943b80a85

      SHA256

      62e2cfc2bbc7f5165b9e68a5ca0bb1ff46c00a2fa5e7e783bb5a12218e2efcad

      SHA512

      bf6a032a71bf8144d091cdc9558ac59630422d94c8a87f4a970516b96bb260bcff93339299216ea7eb31bcab71e0d3d5fde6b133a9328af460b4cad6031a8727

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\INetHistory\7RN0sYSsVEOYsqrCpzqq5BCifp54fOHLaVCl8R64Fk4zOfd.exe
      Filesize

      505KB

      MD5

      0391de54f1800a5d211eb012f4f6d932

      SHA1

      db03f5bd0d7a3f7b608d8a779ee6e729347d08e6

      SHA256

      dead537b4f05eff15b4d1ee4649948262756a46ae7079630c9570ffe43b090e6

      SHA512

      751369deffeede64266002cfd65c2f452b5a308b1dde2a872e7fb1d65498e5276a11e011ad83bdb284f0e84749275730b6de4104bab430c26f4265734cb6087c

      Download Submit
    • memory/808-147-0x0000000000000000-mapping.dmp
      Download
    • memory/808-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2140-135-0x0000000000000000-mapping.dmp
      Download
    • memory/2140-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2140-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2140-137-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2444-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2444-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download