Overview

overview

10

Static

static

f958e0e500...e9.exe

windows7-x64

f958e0e500...e9.exe

windows10-2004-x64

Analysis

  • max time kernel
    52s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:43

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9.exe

  • Size

    1.3MB

  • MD5

    4117f56ac629281c8e7e53271c1cc427

  • SHA1

    5e0bb27eb2c759f927c9649949b20cb8ee3cb970

  • SHA256

    f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9

  • SHA512

    bdab445cab9f23603d77512910a7e5e02532fc24f18ba2f6826563a9a85e2043781e63a3b1b110a4f3845519844ef04a61bc59a9863a400cda89d3271e150600

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 60 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:580
      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
        "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
    • C:\Users\Admin\AppData\Local\Temp\f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9.exe
      "C:\Users\Admin\AppData\Local\Temp\f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1812
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1868
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x488
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:756
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1096
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
            "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1488

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\X26wsqLn4cORagCCezwNVAvGB17uPgw7qhDTJItLt2wl.exe
          Filesize

          2.4MB

          MD5

          db4e1495dbba5d0570021d425a6ba168

          SHA1

          5bc33a62192631d7775aeacc5114efc5790c6a24

          SHA256

          646014f688adca2b6e046974a79c7af767b656722355c9da93d31dbf066cfd02

          SHA512

          4c879682158d29bc87a542b606ad9dde9a0f435be390f72915cb6b64e07e26b2bc27fc3ee2249efe4d4083d03a87d6cf2383257e2439f929125602447f0e3c25

          Download Submit
        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\iwCKYWUAhwBEKn6O.exe
          Filesize

          2.2MB

          MD5

          d1ccca107d49ceaf0f3f618717fd526b

          SHA1

          94ae79332477ccdb1eb7e9ef99dc2d5d9bdaba93

          SHA256

          5828eb7ed0cfffa6c81308e93df9b173207440fef14734c363f21619cd062160

          SHA512

          63b5c46fcab9f0de4c01e901abdc37da384bac250aa8d360ec92681b299063ee91b092e44ff1a4257d61a6ae19bd515e94b8038da66deeebb68e1996e314fbf1

          Download Submit
        • C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\gfcMnGD5eOuscqwRjVjGnNjj63ITckqG2Ud0sGKTeO1rz.exe
          Filesize

          1.9MB

          MD5

          2214dbd582638db8d1ab149c20bc94df

          SHA1

          a4b43c4b1100642b8a1bea09e156cb3035934bd7

          SHA256

          15cd1e303a1056df81f7aa9308ceb2bd2a10fc4ce494e7e43ee4c58ed1b835a0

          SHA512

          8b2089c6a898b6ba1758592f4bc82cf7c8b006fa5ca504f6486f70dd63c2d113ca0dd8b59b373e6ece1bbc7ef19fce7920c043af68e8fc9e6b48ac6e6ec0d36a

          Download Submit
        • C:\ProgramData\Microsoft\Windows\DRM\mKIpcoIS7Ay4lNX.cmd
          Filesize

          3.3MB

          MD5

          3bfe672b5fd59fb1a7b74b38125079dd

          SHA1

          a29e2471417a0fc834d820f1321676efd1eae974

          SHA256

          0f8923cfa748ec0f0a5b89a8a33e5fbefe3c32851bd72bf6c5b6ef1c8c1db03b

          SHA512

          15b759deb550051b6a8a39acd9cbef52c0c84ce7c335bf4497002b1dfc94e8bee8bf302ea8c29971ddaf0f4f81e3749859223d05d5165d7cfd2fe9a9d89ffc2d

          Download Submit
        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint\x0BO4dntjk4180.exe
          Filesize

          2.5MB

          MD5

          2a7b74725e8098e5a99b21bac22f1c94

          SHA1

          e075cd63fdc558a80b21bd61eab9052ebb8a2c89

          SHA256

          5332219c40afff5ec09c5bd3a6b6a07a4db0ceac2bc9da8e556dd275603eb770

          SHA512

          411e694539f2c9cb61e9726e6e023213f8a7000985c247858fb796612fe455bb9fb45a47e06a1b6771d33cd0ed35bdf4d2c4b26de0b148db9ffc0586cecef423

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\OzKx18TbFSYYHWyA7oeSJ6K9vzEYlte3k7xTkSOzeMd71slvu6Z.exe
          Filesize

          1.7MB

          MD5

          403e6bdd967ad67b4d6054169d81339e

          SHA1

          494b1d2f7e4215e6dd73ff84ab27eb97f8b2cfd3

          SHA256

          480df70f851e04d30826532f527a963cfc948d97ad4a6f1e4f2b38178ec344c9

          SHA512

          254f676ae04a109ecad72be61999fdf34221d697ee835f8dee45ef4b02e6c26317101834ba7b4469ccf41fb1001d4bb86e19e2fdbc0f9a30e92fada44cd52c51

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
          Filesize

          1.9MB

          MD5

          4e37b451bdb8288dc0ac4c693c3bed03

          SHA1

          7e6ef3a9957fe336ff0c97a28876b3d005a8b069

          SHA256

          9acb7d9bc662c9d3505b72b77c77d1654df0a89f4e8d8ab8372ae3442c686d08

          SHA512

          4ab316c118a7a4849ad901e9844590e060b00c520a899a1e3cb118d723e99566a2766945712694b64c91289a46d77e1e64a612dbd3653360b51f954689827388

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
          Filesize

          1.9MB

          MD5

          4e37b451bdb8288dc0ac4c693c3bed03

          SHA1

          7e6ef3a9957fe336ff0c97a28876b3d005a8b069

          SHA256

          9acb7d9bc662c9d3505b72b77c77d1654df0a89f4e8d8ab8372ae3442c686d08

          SHA512

          4ab316c118a7a4849ad901e9844590e060b00c520a899a1e3cb118d723e99566a2766945712694b64c91289a46d77e1e64a612dbd3653360b51f954689827388

          Download Submit
        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
          Filesize

          1.9MB

          MD5

          4e37b451bdb8288dc0ac4c693c3bed03

          SHA1

          7e6ef3a9957fe336ff0c97a28876b3d005a8b069

          SHA256

          9acb7d9bc662c9d3505b72b77c77d1654df0a89f4e8d8ab8372ae3442c686d08

          SHA512

          4ab316c118a7a4849ad901e9844590e060b00c520a899a1e3cb118d723e99566a2766945712694b64c91289a46d77e1e64a612dbd3653360b51f954689827388

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Feeds\ZTAbjbQ4A3Z6xvPyTWsZdgU34ixvIWgHCq6vnyn3E7ye0ZEMMAxXKzElj5mOgllKAzD.exe
          Filesize

          2.1MB

          MD5

          945f28b21cac2e6ed54125cdef95974b

          SHA1

          cda867900b8ffad08fe5780d023439b6985e0c49

          SHA256

          9f5d0f1d6c9dbac3d4ed0e162e341b9229c7c5aa7e6b5b535378aa5058bb3417

          SHA512

          5b557e757212a4b72b2a7cde869c8aaa3ce956ed0a3f90978a9acdc971212a5644f9917967b63063e479e915418b744d3875870fc0935b167bb83b3c1ed844f1

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\CSi6hnLeneOYYLl6hiqlFSSKRaM85D2xkZIQMlKUI9hS.bat
          Filesize

          3.5MB

          MD5

          ef2039d4ca4ff86974593d88f6cfdf28

          SHA1

          a203349209d715ec3c5cef4cf3de63d179600494

          SHA256

          282791f1efcdf69c698f4141eac3b96bf5e9a9abff880959f5d09b4aa24a9891

          SHA512

          f83d5b5aa16bb338de0282f5173ea621341320df44ac5e5b7c7bf595aff5a9b31b75882524e3ceb9edd8b41ba4a9804b28814396f2e41d398c374bf37262ce13

          Download Submit
        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4gq1sglk.default-release\thumbnails\IiSGUrCCXRc2VUS0tPgJRfcU836vdTIJOJU92xfNOxIj1A9KcDIVSd.exe
          Filesize

          1.4MB

          MD5

          18cec6e8042dc3e6ecbb423a564f2adc

          SHA1

          72b51db60025d7bd3c4f6836803fa494bba3dd46

          SHA256

          cfdc9e391831da2f25abdb6d6fe5394bc84c47dd79565a3ebe35cc0f580ac192

          SHA512

          063d19a8fda471dfa0009a1e8b856b5d8d351f8e690ee63ab59dd0619a580cdcec2c628a8fbb3d3a2ed3fca6d9394686a0b0e1375ae4b6b9659a8df9345cbf90

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LPWxlFsL8CKZmOPpDJKHnsCHvvZngK8h4WSlLivnuJ8oRxynFuN.exe
          Filesize

          1.7MB

          MD5

          485b5f99429e1a399323e5daddb51e2d

          SHA1

          3a87471b089f3d75f8abfbff0c97036ac9e2a24b

          SHA256

          a3e5b79ebccfa380a5e7bce93cf98d896eb9ad302e6bd47231d8fa9561850675

          SHA512

          c2273ea23e5a4a0d81322d400a1925ee24906a31b9120212c6acd998004f4715b6c30a6213b66816c3a6476127b31e88901c45380d62a41b09465cab0b1daea2

          Download Submit
        • \Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
          Filesize

          1.9MB

          MD5

          4e37b451bdb8288dc0ac4c693c3bed03

          SHA1

          7e6ef3a9957fe336ff0c97a28876b3d005a8b069

          SHA256

          9acb7d9bc662c9d3505b72b77c77d1654df0a89f4e8d8ab8372ae3442c686d08

          SHA512

          4ab316c118a7a4849ad901e9844590e060b00c520a899a1e3cb118d723e99566a2766945712694b64c91289a46d77e1e64a612dbd3653360b51f954689827388

          Download Submit
        • \Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
          Filesize

          1.9MB

          MD5

          4e37b451bdb8288dc0ac4c693c3bed03

          SHA1

          7e6ef3a9957fe336ff0c97a28876b3d005a8b069

          SHA256

          9acb7d9bc662c9d3505b72b77c77d1654df0a89f4e8d8ab8372ae3442c686d08

          SHA512

          4ab316c118a7a4849ad901e9844590e060b00c520a899a1e3cb118d723e99566a2766945712694b64c91289a46d77e1e64a612dbd3653360b51f954689827388

          Download Submit
        • \Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\iybCZ9aDN.exe
          Filesize

          1.9MB

          MD5

          4e37b451bdb8288dc0ac4c693c3bed03

          SHA1

          7e6ef3a9957fe336ff0c97a28876b3d005a8b069

          SHA256

          9acb7d9bc662c9d3505b72b77c77d1654df0a89f4e8d8ab8372ae3442c686d08

          SHA512

          4ab316c118a7a4849ad901e9844590e060b00c520a899a1e3cb118d723e99566a2766945712694b64c91289a46d77e1e64a612dbd3653360b51f954689827388

          Download Submit
        • memory/1356-77-0x0000000000D20000-0x0000000000D4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1356-65-0x0000000000D20000-0x0000000000D4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1356-64-0x0000000000D20000-0x0000000000D4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1356-76-0x0000000000D20000-0x0000000000D4D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1488-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1488-78-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1488-67-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1488-82-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1512-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1512-85-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1812-56-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1812-54-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1868-55-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp
          Filesize

          8KB

          Download