Overview

overview

10

Static

static

e3eed3afff...1d.exe

windows7-x64

8

e3eed3afff...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe

  • Size

    622KB

  • MD5

    59fc21b36599cf9da3bdea1d4890782e

  • SHA1

    47a1c92077dbffa039948c012c1630712157bae8

  • SHA256

    e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d

  • SHA512

    f310c7752ec61b232d8ef242a3ee0601593e775fce4cb938264f8b3c22d115e29e8e2e841e5f608effa290b27cd45b10fdc2c1296b5ddc83f4192e5c0d149875

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:680
      • C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\DsgLf1Ehahw2hP.bat
        "C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\DsgLf1Ehahw2hP.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
    • C:\Users\Admin\AppData\Local\Temp\e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe
      "C:\Users\Admin\AppData\Local\Temp\e3eed3afff2eed9eb3f6b469df051e4f7b88dba84378b518f6d8391d257e701d.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39c8055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2500
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\DsgLf1Ehahw2hP.bat
        "C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\DsgLf1Ehahw2hP.bat" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2664

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Device Stage\1WALDazmla9uzskREI2CPXMB54.exe
      Filesize

      919KB

      MD5

      e99c274d0fcdd61d0972db6ac47c7408

      SHA1

      fe0cb721924647d4770b8b01677d4314044f0c66

      SHA256

      be68d20623462c9942c3c90cdb8b88ba167da08bb6720a717d738a0a0e5d39fd

      SHA512

      67fada3c0493456f01d2e31b6f0742a8b819f87cd1c61d8be38e8f5c739f45af4f72cdcabdef052408aeaac1d39cfaccb9de4f3e2df28fad029265d60f1756a9

      Download Submit
    • C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\j7I84NeHZ.exe
      Filesize

      770KB

      MD5

      7864fe68d769f3e385010b43f9ba2108

      SHA1

      04f8cff77123ca729e701f5c58e24a7f8b62c435

      SHA256

      2e508b56de6f4ef137e7ca1e5d23dbd7f4817a78b8ccf5c35afff013a669abdf

      SHA512

      979e3cd242863c0393c753a338b81dbb10d0d6b0760c37054da82a67b8c598f944f8ec471c9b07a500b79ca618c6ada207d17225fcf8c03e23b089b426d0191c

      Download Submit
    • C:\ProgramData\Microsoft\Windows\ClipSVC\Install\bAgfghompyK3xrPJOxaDm7ooCz6Dp74waf837gpVN7e.exe
      Filesize

      834KB

      MD5

      1c805640f0c1263f829a26a9ccdc54cf

      SHA1

      e943d689f8230e30c93ba16a885dbd0d950b6872

      SHA256

      67e0eb87e0e89cb59316ca3476049b413a03360323a1f29c9d53bad28c79334e

      SHA512

      d3553bc56fd2ec6bb86d594adb4ea293a9a2de04df8c58afa69decd2b39a6d747693c833ec5310dccd95582bc85a5882b9ec1235c5f6376f751026c8e0a07556

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\AnJ2rriPmYCM9Ff.bat
      Filesize

      2.2MB

      MD5

      f471a606f6462908d69eb2928b985b1c

      SHA1

      6a1d3c2806ad85439627bcd8975242b674dfbf37

      SHA256

      c3e20117d31f8925405dbbd91e35f42ac574c7e26acdf4651a86ad59ae0ac5e7

      SHA512

      20d34cd5ffd45c1cbc134832edbb1961b1d1b6372a777e465f356914bab65347f7b68e64873e51aa852fa45bbdb8efaa1bc69ca1c9a08a3fcb7c2d1dd1abdddb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\S2fhylnonC0aORoRMgOl6CCt4fWTVfGPb2kTpdY9JSzh9Y1.exe
      Filesize

      640KB

      MD5

      e6a8d413d3f9c6cebc272552dd736624

      SHA1

      1e95514a77b80423a251edba653ce260b11f3f9c

      SHA256

      02ddfd8f2b941a15c8c6b57c7d1224c088a37b3e991923aa3b6679115ee6b33a

      SHA512

      b189f491dc40f869b2d83067b2ce2b5ae98d921a34dbab666d89e870d953bd360e322ccf89dff079e34e7fe589846b4728d9bf2c7fe910f95c7ed4527daaa063

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\toMSrZdYESJQIcIrcMI5IXLVjVsdCpxs7P946yJiCFR8bqdMq6g.exe
      Filesize

      1.0MB

      MD5

      80058ec326660654bce03fb075e40539

      SHA1

      596cd76eb5b1580e8be0d0acd57aed57669cff5d

      SHA256

      ecfb3a42969bc760ca1af66903e4f973b91edd66677c9e45d606fafad36626d0

      SHA512

      c2c7848f6d5a81d83b009e29ab11cb24a3dc72b457d08553bd26174d9a1c286a541627bb768edb7770b622a7c2c7f20e5a40e95a1a1ee68cf8ef9f2803e41c5e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\HUvhqoxkLB3AkcaXQABzdDKc8HlBTY5VMNwRouP4ihM8f.exe
      Filesize

      626KB

      MD5

      0b37f4dc331a0d17279ef5e92b0ffb05

      SHA1

      392a199805036a5ccb180e97181a02b1a265495a

      SHA256

      75d3c430d45a0196fe803942a08233c27d2ee459a08978c5015b5c8ff13008da

      SHA512

      696a177a6e80d368bf56d6cc2dada6efebb7ae0192b5bcc16835ef47013f7cad126ace180162d2ac7d052af2597e65629ad7a12c3bef16b1c265a6c0546ff8b8

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\LocalCache\iNdhASS4szt5MQzhaHKtx68XVKq13UXkTlJp6xDyUwxBsGd48.exe
      Filesize

      1.1MB

      MD5

      25aac7817412ea54da777620b21c087f

      SHA1

      c8d136f8e6f30fa66b975d4e5d38ac6b04211ec8

      SHA256

      0825c443198113d57863e6b4c718bee8b0a94d122944b2a686f13383b93992e3

      SHA512

      0613d59d8623835f52ed3ee2858404f46190c9a58bce188304f92ff94e2b4c09081c1af628cb7158425550632cafa8af6b0dd0402d8611243a7d4e18ca491f70

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\FfyTgBLG1LCwsmgcmdMZac9ptrodyBh.exe
      Filesize

      1.1MB

      MD5

      ca5c1ea2ed6db109e37028eddeb5dd13

      SHA1

      7f6cdca31d63ad7f40429fc00db9550053be3975

      SHA256

      7f9167274da7e93e597e8202d0123f0cc24f56ed31d34178c22227f2dc54d378

      SHA512

      a1c57402f24c5391174d32c5caa51800b454aab76d1421f1d9d0cbdbbc9f585278eb40075bd26f10bb6f9dff5d7cd96bd025af6e6099cff1b0914cedb9b8a31c

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\2RY8iLf4snkW9EQs8UVgTqR0mcPxC.exe
      Filesize

      2.1MB

      MD5

      da9a1616fab2c556731588849a7a00fc

      SHA1

      7416de2c1d8591ab75cbd5cdfdb2669b4f3741c4

      SHA256

      61fd44a9a8bc437139a8e8e74bd30c20d766221f7361eef62781447acd587ff1

      SHA512

      2e1f54836a5cc8b187659d383e145312793b2c46fddd20c142eecf524fa7a6a8f8e8d5f01e3a14198c8ed45e09e2bfd7a65fa04b7e7004e59490ea2589ab58d7

      Download Submit
    • C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\DsgLf1Ehahw2hP.bat
      Filesize

      1.1MB

      MD5

      0dee125d20916402e230c44735c9d26e

      SHA1

      9e10e415f383aab880246799d092e02d76d1274e

      SHA256

      d4af9f1dd5cbcf9f46108a9673f60a16ced6925a8105ebc787864209e0726637

      SHA512

      8d411680007d7e73c5e41b612f3930077abe2fb66ecf2cb6fbb289c60cb0be7cc39037996537802aad1c0e0261d444103fb1963964720b6ec0b09bb372213d70

      Download Submit
    • C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\DsgLf1Ehahw2hP.bat
      Filesize

      1.1MB

      MD5

      0dee125d20916402e230c44735c9d26e

      SHA1

      9e10e415f383aab880246799d092e02d76d1274e

      SHA256

      d4af9f1dd5cbcf9f46108a9673f60a16ced6925a8105ebc787864209e0726637

      SHA512

      8d411680007d7e73c5e41b612f3930077abe2fb66ecf2cb6fbb289c60cb0be7cc39037996537802aad1c0e0261d444103fb1963964720b6ec0b09bb372213d70

      Download Submit
    • C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\DsgLf1Ehahw2hP.bat
      Filesize

      1.1MB

      MD5

      0dee125d20916402e230c44735c9d26e

      SHA1

      9e10e415f383aab880246799d092e02d76d1274e

      SHA256

      d4af9f1dd5cbcf9f46108a9673f60a16ced6925a8105ebc787864209e0726637

      SHA512

      8d411680007d7e73c5e41b612f3930077abe2fb66ecf2cb6fbb289c60cb0be7cc39037996537802aad1c0e0261d444103fb1963964720b6ec0b09bb372213d70

      Download Submit
    • memory/2544-133-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2544-132-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2664-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2664-146-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2664-139-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2664-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4944-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4944-150-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4944-153-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download