Overview

overview

10

Static

static

c438548d79...d5.exe

windows7-x64

10

c438548d79...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe

  • Size

    672KB

  • MD5

    fa2c4c22089e8d276090e32e6343b32b

  • SHA1

    aaeb98404f858b52f615243cc1f9f63df0510566

  • SHA256

    c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5

  • SHA512

    7f617e01deedf66ccda9a8f424f41b39b8f62ae5ce016fce85768ba9536c87f35211b6622d8d87a619fbebbbedf2a73790795ba831473da65fe9ec163629bc4b

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\ProgramData\Microsoft\Diagnosis\TenantStorage\dWTc9zqoDD6KruFSmkbYbxN.cmd
        "C:\ProgramData\Microsoft\Diagnosis\TenantStorage\dWTc9zqoDD6KruFSmkbYbxN.cmd" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:680
    • C:\Users\Admin\AppData\Local\Temp\c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe
      "C:\Users\Admin\AppData\Local\Temp\c438548d791979a287906fe42a1801f88dbb0c314b39ca209375e6452d685ad5.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3292
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39ed055 /state1:0x41c64e6d
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:5064
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\ProgramData\Microsoft\Diagnosis\TenantStorage\dWTc9zqoDD6KruFSmkbYbxN.cmd
        "C:\ProgramData\Microsoft\Diagnosis\TenantStorage\dWTc9zqoDD6KruFSmkbYbxN.cmd" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3044

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Diagnosis\TenantStorage\dWTc9zqoDD6KruFSmkbYbxN.cmd
      Filesize

      919KB

      MD5

      44465c81ec396b733afa6c87ee8ed604

      SHA1

      47978c2733e9f3bd563687df7fad8ebb1bf12473

      SHA256

      1889c6d3f5c87d688841dfd3edf293f843e48510327233111dc17296ce1592af

      SHA512

      ec69755910df6a8ae133400ddd2dead43cf80d6c6d0b79ab884460b4b1ef0a6b534089bcda94d7e92a21688588d11df3227d2c18535542c4cda9ae2049043408

      Download Submit
    • C:\ProgramData\Microsoft\Diagnosis\TenantStorage\dWTc9zqoDD6KruFSmkbYbxN.cmd
      Filesize

      919KB

      MD5

      44465c81ec396b733afa6c87ee8ed604

      SHA1

      47978c2733e9f3bd563687df7fad8ebb1bf12473

      SHA256

      1889c6d3f5c87d688841dfd3edf293f843e48510327233111dc17296ce1592af

      SHA512

      ec69755910df6a8ae133400ddd2dead43cf80d6c6d0b79ab884460b4b1ef0a6b534089bcda94d7e92a21688588d11df3227d2c18535542c4cda9ae2049043408

      Download Submit
    • C:\ProgramData\Microsoft\Diagnosis\TenantStorage\dWTc9zqoDD6KruFSmkbYbxN.cmd
      Filesize

      919KB

      MD5

      44465c81ec396b733afa6c87ee8ed604

      SHA1

      47978c2733e9f3bd563687df7fad8ebb1bf12473

      SHA256

      1889c6d3f5c87d688841dfd3edf293f843e48510327233111dc17296ce1592af

      SHA512

      ec69755910df6a8ae133400ddd2dead43cf80d6c6d0b79ab884460b4b1ef0a6b534089bcda94d7e92a21688588d11df3227d2c18535542c4cda9ae2049043408

      Download Submit
    • C:\ProgramData\Microsoft\Windows\RetailDemo\OfflineContent\Microsoft\Content\Neutral\Y2xxjYCOddzEkspuxHYaPfDKxw8.exe
      Filesize

      856KB

      MD5

      c996dd1ceed4b7b51e6ad445e9f450dc

      SHA1

      b5743aafebd4ee8e68aebd88760f904b037b5374

      SHA256

      15004e2cc734299804e20555d55f2bb63517faeb4273ec2fda59b0b24c527c43

      SHA512

      85c31599b2b882a6109336a7c5f98e2ffc2df7b68536d5601d74e57b26a623e10e7084ed8dfb59928fc8ab896393d88d9e093288ce1d7e0a41317358eb90650b

      Download Submit
    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\fT0k9Ok120F2hYj8LE4Zm52gOnJD8gPoMIsCaGCHJbl1LshDj2lSDV0ibW6dXnDxFGdVkbt.bat
      Filesize

      1.5MB

      MD5

      2c97efac8fdd30319406d7cbbc0cfeda

      SHA1

      5c48ed26defce842719e59dc46d964135220eafe

      SHA256

      b9b2eeec23db2f1bc46f7bfce9d3421ebc49422f80a0a474ac5627e9b1c20a7d

      SHA512

      648c97568cf4ab9e489b66f727b77565d346a89d30303f3c31c109507513888fa8e41ee2749253d34bbc47b2c7e8d9709019c4ea17c3fb973840f96b868ffc13

      Download Submit
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\5XCxbCZRbVxuJGedLUYlalN9k.exe
      Filesize

      1.3MB

      MD5

      a87fdf18015b92649a8a1f2af91c885b

      SHA1

      5d6cdcf1beb38250c8987130ec8dd0c456718502

      SHA256

      13579764567624c98efa77181d47bd310ba4012b1ea1bdaa2cb942720d6f834b

      SHA512

      e103f758357951b52a28dfac1d7e2f01c58fddc45328f35e0b630466f7b5753ef372c5eedaedcbf239273495e5b41b76cdbf305dab58be85774f19504d109c15

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\wo\1FBWiya06TspHHCUnFpGTh02edLgAxWVvvKqsHMVNttTTMfhyGQsYzVZS.exe
      Filesize

      1.1MB

      MD5

      202939b870d529ee431c546c15e1e8d8

      SHA1

      fbdde3f1c3a252c7d2d552b124f2788d3642aa73

      SHA256

      d094f539de2ccbe84ff0c2f64bcaeb8a51015c865853fcf5b1629c2e126aca5a

      SHA512

      a6246a7b1dbdaa8c686b2566997d65816717d2081c73e2a75cb6a96eacd7bc7e44eef202c988504c6489dd34dc670ecf4f437a8840e251cf4573a44f688df2e8

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\LjGC1w9E6IXe4gT.cmd
      Filesize

      1.4MB

      MD5

      5b4d0d1f0187504321a96dfd2c2e4c0c

      SHA1

      3745a8b9754c81c2503f81352e8877546cacebeb

      SHA256

      8e3324698f7441d4638f44f0da88378b9a31359c87fcc6128e62e02fb5f3066e

      SHA512

      fb598758bb77f80fcfac69b1d4c2db9c62a56e6d73430df84fb6664ffdbf5cf376d8e35853ceb79bff7a91cf67c37b97107f2369a4dfdcc0685d610ba07443a2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\ar-YE\Ga5nvH4UXVhIEuR3jQzsTxf3fj9IXyd8wI9oc.exe
      Filesize

      1.1MB

      MD5

      b1058fc914e09aacf8eff9f7574da6fb

      SHA1

      7095df3379135d51e376aa544fd67df0644a0d94

      SHA256

      96c513ae8cbee5c7533ee5b6dd5b6f9a620909d49e5a0612a0df76f1e8d6fde8

      SHA512

      3839fb25f12284b80c07169f4205d46fde5187cf83cc561f09debe0c69e7b18fe8beab7e7b32b1f07463d68de6feff29d8d81f24a6bcb9a07a218aba4a1c1d5a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\TempState\PA3bCgDPPAfbXB3BdeqFNugXDkAZmsXYMykLYfWAdpy3y85PgCCl6Cl89MAvwOklvQoKI.exe
      Filesize

      784KB

      MD5

      e06cb8bf7ff3d8ee5a7e461f3eab54d4

      SHA1

      66cde63e31327593f5e738c95b11c163ab62f64c

      SHA256

      227a20e4ae62a4febe241e38332d264bed5ea47ece41845d08cee8462a464dc0

      SHA512

      48556f07dbf631a2de61838f288e5dda5669fb70bf6f68993617aa6fa50203ea05436cc19cf4a731199632b463044b679f5277a34c571561ca103aa56d47dcbf

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280810\j0nqUQ7Agdqn0MhxBfqX3Et50uhedLytfuNRZciu8Ln9ajhOQIBrdTxoOEksDkot55uvTjq.exe
      Filesize

      731KB

      MD5

      c69acc3208ffbc090376c05340f79e62

      SHA1

      14e091293b2b64e81693844c31c05f85b7526309

      SHA256

      7f57020e15e01d18f0aef9190ae7172e78f3886478ef0768a132d3dcf2e4e0c4

      SHA512

      4fa1cd83572544d4202f91892ae01cc9103de3788a0fc4e61b18f0fa324f279d5c4139003dfc3b202bedfe9eccb6694c37051fa642c651e164bcbb20d4114d85

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\zIjkXkhoD7ucmVumfJkA1YeBsODSzCOLaSf5TxMUxsT86ZKA9ITvynhfq.exe
      Filesize

      926KB

      MD5

      45edf03c32662c332abbb8e5b64fe1a2

      SHA1

      c3ba8bade26d0fd6cbea30bf59175c33b40d6adf

      SHA256

      2b853b85b879f1b5eb4ce97717b409969c5cb8594b8ba12c098243366af20926

      SHA512

      9fbef6934653f648b17987ddd6bc7037a7779ea2ff21ae26233705bb7b800375d0cf43e97f506408abc53760d8c6bf463f37222be3f1278f9e688c29edff9763

      Download Submit
    • C:\Users\Admin\Desktop\TIUgSdNi27dmjlGJbc7j2X.exe
      Filesize

      1.2MB

      MD5

      f2c6f346247e593454a509b9e4d04ff6

      SHA1

      8986d534afe1f16571094ae0ea7da8e344250e3d

      SHA256

      c35647e0de09fbcc92bdaabf638bacc8fc5bb0f7ac0075b1b8e149334af7f2a3

      SHA512

      59f24343a1eb3aba043e82b0d741bb40dc2330103ccac3b480e0a56524f74b67d58c39b59f9fa92115e4f0d9e24f00d7bca0d82298263f4a8f776e6dcd20a83d

      Download Submit
    • memory/680-148-0x0000000000000000-mapping.dmp
      Download
    • memory/680-151-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/680-154-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3044-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3044-147-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3044-138-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3044-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3292-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3292-134-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3292-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download