Overview

overview

10

Static

static

f958e0e500...e9.exe

windows7-x64

f958e0e500...e9.exe

windows10-2004-x64

Analysis

  • max time kernel
    47s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:43

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9.exe

  • Size

    1.3MB

  • MD5

    4117f56ac629281c8e7e53271c1cc427

  • SHA1

    5e0bb27eb2c759f927c9649949b20cb8ee3cb970

  • SHA256

    f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9

  • SHA512

    bdab445cab9f23603d77512910a7e5e02532fc24f18ba2f6826563a9a85e2043781e63a3b1b110a4f3845519844ef04a61bc59a9863a400cda89d3271e150600

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:652
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\3uxF6T9OxO9zkrdK7TuOVuGUOHszAmzz8HlDgxmLKm2UAmEiBgKecuYOpspCsbADw2T1.cmd
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\3uxF6T9OxO9zkrdK7TuOVuGUOHszAmzz8HlDgxmLKm2UAmEiBgKecuYOpspCsbADw2T1.cmd" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:500
    • C:\Users\Admin\AppData\Local\Temp\f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9.exe
      "C:\Users\Admin\AppData\Local\Temp\f958e0e50007bfb5dc366a7cb1c1815d0eb9f50a139ef0dd6fb7e22669d48fe9.exe"
      1⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:5028
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39ec855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4648
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\3uxF6T9OxO9zkrdK7TuOVuGUOHszAmzz8HlDgxmLKm2UAmEiBgKecuYOpspCsbADw2T1.cmd
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\3uxF6T9OxO9zkrdK7TuOVuGUOHszAmzz8HlDgxmLKm2UAmEiBgKecuYOpspCsbADw2T1.cmd" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Drops startup file
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4356

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows NT\JDLc0cJAuRwNAI12vyvrkpKP2hDPd6I2MKc5FehgwU3.exe
      Filesize

      2.1MB

      MD5

      2d619e4a289a8337e4b4aac98eec3b0b

      SHA1

      deba4b794d9d489cd69a1da2404077a4bf9ec2c1

      SHA256

      82bb5b8228ee2374bc40294cc46c9f4b5c1335276704ad17874abfc4f30ba155

      SHA512

      6963aa366890b8e42281a7d07762bf4a7c2bcac25e15fd9a976876fc938ad80c1d1f9611c5312cc0a71e9b9d4ef7227bd191e6107c994b7f4253d2bf0ae6520e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\InputPersonalization\ybDAwoP96z8Xk41ZL5E3vGTv0HL5rCZWWkgrx2iRvxX9mWxp.exe
      Filesize

      1.9MB

      MD5

      269fde9d0c001b20b459550a0e7e2034

      SHA1

      d55ec985434f0d8caf87c1dc033c2b2f94c83eee

      SHA256

      b5adabf5d5820595ecda279b529f093b09a86b5190854ee077a30c2c241dbe5d

      SHA512

      b5ae6e021500c667eaa97851940488cc6dc89340d4ff788ae4b8a312f8da5080efd787f84b4a71eb0176a4724b6e73b494d8338ab05a2e56828125b5e464ed19

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ur\i3y0sPGBETEZPG4kqiCUY81Cw6mfBQuv9zbb.cmd
      Filesize

      2.5MB

      MD5

      2e54124f43f8afd6ae19e8ca849f3b9b

      SHA1

      8aff7fbf465b5cae2c122d1397a321895a760e96

      SHA256

      77f9179f9473f90c2e11438bb3863e5ffa2f5c9991b824b21871d2cd93d33d9e

      SHA512

      cc154f7a96966f2a96d850568740b4564e5bdb9ae7e18952ab76f2ae9e60df8def1bf1bf8485f62b5af71a3cf6ff38782904904e4ba37d4b7f8af9e22dfc3339

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uz-Latn-UZ\FgBQ3IkIvc3DrN7G9njBwi5Z5pAgjJlf8bujLQXC4ep.cmd
      Filesize

      3.1MB

      MD5

      04db65279367ab3c61a41c3e46b76b34

      SHA1

      f85b35590637ac6e0a05f9ffd667e560d0ef1154

      SHA256

      126c6d26f54d4ee6bf36d3100c6bd57960bb0cdbc2a4828a56341f4b7244603d

      SHA512

      ff79691edf12236e95d7a1ce0db892994b63efd22cb21888191877e14838b0afa8f150e4f7dec42162933158943a18b846f12331e1307265fac4ff116fe32b2e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\fr-029\jhnQjlXxDq9EGPgUZAfUf4aLiZ6dkb.exe
      Filesize

      2.0MB

      MD5

      dee994add27bb491aa00b51eda52660d

      SHA1

      2ef9790d3254519c473245a5562addd364bc3c82

      SHA256

      11cca365662df7a92e94ca06df314044a531853e95d4583607c10f7fc5acb733

      SHA512

      8240fc09009ed33e4c07354f6078d4abc9242562e54c581ff7e8c8ae457329beab17545ec99bb103d6e5945fcb6464b34378e6b803a2f27a8e79e7d6987ffa45

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\he-IL\Z1aFpUDFnDL2DOsL77oCyYNcOrLNfJXGWag1vuHOy.exe
      Filesize

      1.6MB

      MD5

      f9be01459574c362a893d46d73c4e05e

      SHA1

      2cd361382831d1a4797ab8b5bb6b602b7de69fce

      SHA256

      4202a88f2fde4b6b152249d9a47d2596f19973eb424a364689e984154a915b69

      SHA512

      4c6a943ecfe0d287979b10ca9273b1f632311e8a66390410498f3c6c689dbb6d9f82081bcac8915e891ab2e0c5b62cb021f28206190597927436a64054333adc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\input\sq-AL\1d3enxymt216VcP8atIxzZPf3quhHEf1j.exe
      Filesize

      2.5MB

      MD5

      45d4a916cac55fe7df03d9c87e9d2b1d

      SHA1

      c27648398c233278867d89fd0d6072fed5779cc5

      SHA256

      927f9862c5191802c3b795c5c1d5aaab67e447c23a95ccce3ff52dac6daad110

      SHA512

      51d7273d6d8598a39e6ec67096d3c02cf541652a02736638cddb89ab2e39c32e5023967303ee45797c2b59d81816e2988bc13386d7a829a2733cbda356b965cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\erlyDUQ0JjXsAFbe9R8gecwHmpc6AOLa5KPKWZQfyQhPDDrhhUUbUzavgS.exe
      Filesize

      2.6MB

      MD5

      9e63eae7d964bfc0b0d42d98bc0725a2

      SHA1

      a28092d2e62d6a31f214c07759709f8a7edd3525

      SHA256

      524f8451033e0924611e121f03e9f266c9ebb08035add9d934ac139699c38fed

      SHA512

      3876f6e01610ea25ed16e2a456fef9fcd5e2e937f511ffab9e9c0e0533f50a9fcf6d23217f52ff4edb378a96f75ef2f260da6c8d4905989ea84e02ff159fb2f0

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\3uxF6T9OxO9zkrdK7TuOVuGUOHszAmzz8HlDgxmLKm2UAmEiBgKecuYOpspCsbADw2T1.cmd
      Filesize

      2.0MB

      MD5

      ab16f63d7eaef50f21019222b4f1443d

      SHA1

      8f434573ab7a308c4d3382f41ce4ff8650536a8a

      SHA256

      086a84c5af195fa6fc8986e8351797d49a6bef7de4d9d51382e8f01058f00d63

      SHA512

      76182848c2ba57c8209b00f5df1319917099ea7376bcf22b6a2af483ea2501a57e7a2e3684a7041b5b3a33d36780c20e3e0d769fa0284e7436fb73d1b5e48b42

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\3uxF6T9OxO9zkrdK7TuOVuGUOHszAmzz8HlDgxmLKm2UAmEiBgKecuYOpspCsbADw2T1.cmd
      Filesize

      2.0MB

      MD5

      ab16f63d7eaef50f21019222b4f1443d

      SHA1

      8f434573ab7a308c4d3382f41ce4ff8650536a8a

      SHA256

      086a84c5af195fa6fc8986e8351797d49a6bef7de4d9d51382e8f01058f00d63

      SHA512

      76182848c2ba57c8209b00f5df1319917099ea7376bcf22b6a2af483ea2501a57e7a2e3684a7041b5b3a33d36780c20e3e0d769fa0284e7436fb73d1b5e48b42

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\3uxF6T9OxO9zkrdK7TuOVuGUOHszAmzz8HlDgxmLKm2UAmEiBgKecuYOpspCsbADw2T1.cmd
      Filesize

      2.0MB

      MD5

      ab16f63d7eaef50f21019222b4f1443d

      SHA1

      8f434573ab7a308c4d3382f41ce4ff8650536a8a

      SHA256

      086a84c5af195fa6fc8986e8351797d49a6bef7de4d9d51382e8f01058f00d63

      SHA512

      76182848c2ba57c8209b00f5df1319917099ea7376bcf22b6a2af483ea2501a57e7a2e3684a7041b5b3a33d36780c20e3e0d769fa0284e7436fb73d1b5e48b42

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\4jGbg8R4nH5T1iP2zk4zEj0e9.exe
      Filesize

      2.6MB

      MD5

      13775ee2d9f44f96d3625c87e60c5904

      SHA1

      c17b16de7503a4867278e978291c8d263f274df9

      SHA256

      68f82dac0805b82a9669770922573fb3fc11b11d8ed279045ca3959620d2c108

      SHA512

      745e40ce4ae6ba021e7018002154a02254360c33f354ab1108ba8768d4915ca0d02ad147aff1bd0d9c5995eca208c94b548ef5c9af79aa00ac64f11cd0cd26e2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnV0CQXBto6SS.exe
      Filesize

      2.2MB

      MD5

      eaeaaf1b94e1d7c5a0a448585cd055d7

      SHA1

      71e9e838aecc7f1019dfaf776bf112bf8d0a3ce6

      SHA256

      d621743497a605c66351fca7a91ea328d8eee4d5892585597902c5b8ebf36061

      SHA512

      d79d5b294195b4a15caf9f99d6c00d529d9f508914ef7c148a3d86698302866580be3662c78009fb0c7aaccddb968b2d0ff3bab5668d3ee3df8a397606e4af6f

      Download Submit
    • memory/500-150-0x0000000000000000-mapping.dmp
      Download
    • memory/500-153-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/500-156-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4356-149-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4356-140-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4356-152-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4356-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5028-135-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/5028-136-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download