Overview

overview

10

Static

static

3314cc6ac3...00.exe

windows7-x64

3314cc6ac3...00.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    43s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:43

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    3314cc6ac3b22e1b23b2087228bebe21b580c4de11eb72f267d5b1cb4648d400.exe

  • Size

    1.1MB

  • MD5

    a3961598ee8c2e1c3463f6098c8a14a8

  • SHA1

    b60ff6e1424121200dceff2975eb085ae84df65b

  • SHA256

    3314cc6ac3b22e1b23b2087228bebe21b580c4de11eb72f267d5b1cb4648d400

  • SHA512

    7017d8721b5eae0eab20cc05223b8849780312879d6dbffa565269d1da63ae6cac4a5372a7011aa099fe7d400cd631c56021e4a593a95240d4f567cd7c96c908

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 60 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:592
      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
        "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
    • C:\Users\Admin\AppData\Local\Temp\3314cc6ac3b22e1b23b2087228bebe21b580c4de11eb72f267d5b1cb4648d400.exe
      "C:\Users\Admin\AppData\Local\Temp\3314cc6ac3b22e1b23b2087228bebe21b580c4de11eb72f267d5b1cb4648d400.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1128
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2044
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x564
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:316
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:856
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
            "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Sets file execution options in registry
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1808

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Network\OGkZ8ogE4BWsglF7QjE8Y52Zm2TMb6xJc0Md.exe
          Filesize

          2.3MB

          MD5

          da33aee65bf7bdfea4ee07c28e98efcb

          SHA1

          6ea35bc6b9c4e1a198597824eaa428edfea3c761

          SHA256

          0981fb86d5133c2ea87854e7f0c549136e7216944b712586d78f8394619e1065

          SHA512

          8908452d8e401e4b9bb2f23066bbbaf22aeca32cec41270a4d4c5ee6f6ab1e4b94f34c5657eeb8419b6f7b5dfbea04de1cbf759aa118d8d97ce28d92908ccd7f

          Download Submit

        • C:\ProgramData\Microsoft\OFFICE\KgmiKEkQApxbc9pRrxiYwEBM6sQjw8NP.exe
          Filesize

          1.8MB

          MD5

          de8fdfac2ab48892bbd804135f7451d2

          SHA1

          dbe38d2946606dcac0d011246e1c1600863bde9c

          SHA256

          653bea8169ba3491f98eb29dafde9e7ff12f80f813442ba9b82bcfed8a8b4a71

          SHA512

          1d600f280851ac622083121cc1f7766274a7c6dfb4ef44bf329bfba40ed41c1192dc78ada3c4d066dae6e048c05473442751184f25307690afb18229f73f39b4

          Download Submit

        • C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\E5qWhH5MfIfFLwIWN1enWWSRTydFAGIwOP9ouB4pV1d4Y.exe
          Filesize

          1.4MB

          MD5

          a6f0d53b6ee001b3d90a456d93fe4ffa

          SHA1

          9d2ef4e541a664a425fd1461d4488e1953de0977

          SHA256

          be865d9f0f7d9a60f63e822a2fe22a7847b1373d8fb6f052fc105f623e9255df

          SHA512

          fc1e70fc68b6681871346c954ab9c8355b33f64e5d550df2bad82b7307061169ead05f3750bd86f1a8bda7690dd5d37b373b5e5f452a07c50a0fb134a3e2e085

          Download Submit

        • C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\O8f9EMtsRXS1BnbQbPY08EBOkd0DJMvO6sIQDl06geAgiRe.exe
          Filesize

          1.4MB

          MD5

          1e68ec45e4fcfc6932cce143e10f3cf2

          SHA1

          72fc09d33e98182689896e635d467b1debc43aa1

          SHA256

          4c536ed68f00561d48bba74adae241e2da35371d946d0f051afa2fd8050ef606

          SHA512

          e6b9618139b9e572a9888f1992a170e083c71dd1a0a96826b8060fdf2f9c0cc163cce472d1545ef0a029cb6ad9a757174e4117eb24599475f95b9d596b0ee9e4

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\DVciKpxtvLYe68bcR38WddxRF.exe
          Filesize

          1.4MB

          MD5

          eda8819b7a34148150e8c2f14b179587

          SHA1

          bd27372e2b0c8b5a1734a21474d578a0219f7926

          SHA256

          1992d380d0b4b37648a7b3d1c6b2dbbc81cef6a0fc069f46c9181a10133b177b

          SHA512

          e53d8a14351cebe0d3e010d5594873079927596db67949b560f4a8f31dbbbfade68bfcc12e2476a90edbf7b23ce0ea759c619bbef2fdbf5fead709e525705d86

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Sun\Java\jdk1.7.0_80_x64\QNSNL6gtJ8.cmd
          Filesize

          2.9MB

          MD5

          6b8ca0359683e4a62b4db1c68c08ad41

          SHA1

          35df4c44259c265cecc8f1da3c4a3ac96b882f77

          SHA256

          9701cb7477a93e5f2ed8667641bd3160c18cafd7517bf10cb8a27db8b744bd04

          SHA512

          f63c6b0539193a34079fc4d745f0393357fd884af0d43ccd46cdc0ae1eb95d28b58cfac5ab30eda64c2bafaa5c642a77f89095cf6a7746a8bc51352978848ee5

          Download Submit

        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\ywbRbmTDOCDh.cmd
          Filesize

          3.8MB

          MD5

          e77966a4fe1b28ac5cce575b38192945

          SHA1

          988e6992ba8e11c3db705b85be13e71630622033

          SHA256

          a2c83fb9a565339ffb2047c52e043730b551608a9efd84e1e64ce34a6d2fabd3

          SHA512

          e09d4405de04ee209dcdb41f006ae8d954ea2b734e4213683ddcfc5a887e90b695055fd2a0746ddb5790cb2514fe8c27a7dff3f43617f474ac754dfcab2612c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\vWlOJUnsqkRkz2ornD2SyaWjCa5H1SluZqz94kZXEoKjGzMkXChzjWqftU0G4a.exe
          Filesize

          1.7MB

          MD5

          e0d7e39b0e43029cc8ae774357eee5b3

          SHA1

          5d977ce0b0e2022bc7838ff9c798a712fcf6ff3e

          SHA256

          3cf21aa8c6fefb4b19bb6a46f27c944658c3d3ddefd2b077373563740114accd

          SHA512

          ba639e2f60b9c994a38086305394b739393b315812fff738b09a5b2665de0743af31bc5aaca9c757ffd36bf758b857bd6fa6b4644d6b5df68ac76fa1624cff1e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\oRALCcTd0vcho8BOOs6c9rS6BZxRPcKYsNBvKxHmvBlaoT6IzI5.exe
          Filesize

          1.5MB

          MD5

          f6f5bbe7ce908c32fb61099c943732fb

          SHA1

          7119be576a9ffb934083cb1884f2cab964728df0

          SHA256

          1973be8c89a48662a89bb474142544b7ae4b2695309c58af0a12b8347ec30984

          SHA512

          7c1742812142ff7d2dbb9faf0dd1d131dce21fa982c3f3db30306cf5386a32f49fcfa6b3230f35403c09c0b6c9c5050be2001bc689c83ccdb98b1fb3c5720297

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
          Filesize

          2.2MB

          MD5

          7efbe5bb44e53f5c7d4d479fc9e45881

          SHA1

          06b43571f56a5be74c8b4dd5329c68b758e26ced

          SHA256

          9e877fcc88e80a8a69617e95cd63057d4d4b2c12ffcd9f67fcf926253c949c49

          SHA512

          9f667f583b46e79027f8cac9faa8b90be7122abdd9f58d29ec411607df1c633b952cf5fd1c5350cb124369aba345eecf67c2281416bba75dc4a1e905fe5fb353

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
          Filesize

          2.2MB

          MD5

          7efbe5bb44e53f5c7d4d479fc9e45881

          SHA1

          06b43571f56a5be74c8b4dd5329c68b758e26ced

          SHA256

          9e877fcc88e80a8a69617e95cd63057d4d4b2c12ffcd9f67fcf926253c949c49

          SHA512

          9f667f583b46e79027f8cac9faa8b90be7122abdd9f58d29ec411607df1c633b952cf5fd1c5350cb124369aba345eecf67c2281416bba75dc4a1e905fe5fb353

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
          Filesize

          2.2MB

          MD5

          7efbe5bb44e53f5c7d4d479fc9e45881

          SHA1

          06b43571f56a5be74c8b4dd5329c68b758e26ced

          SHA256

          9e877fcc88e80a8a69617e95cd63057d4d4b2c12ffcd9f67fcf926253c949c49

          SHA512

          9f667f583b46e79027f8cac9faa8b90be7122abdd9f58d29ec411607df1c633b952cf5fd1c5350cb124369aba345eecf67c2281416bba75dc4a1e905fe5fb353

          Download Submit

        • C:\Users\Public\Videos\seUWs5UmrrW5gFnIm0AOnf0ny3NUyDF21iHY3ciIasT4rsbVXriv2hn0Rqoi3sPm.exe
          Filesize

          1.7MB

          MD5

          76a43f6b2935774109cd65a54249e60c

          SHA1

          22acb62598cffb7fa75231f70fa35447791589f4

          SHA256

          5767e48b3af056a82c53450e67c0ed269e7ae5fd37719dd57f727d6081d3118b

          SHA512

          91c70df0542a3907db0ec34c7f562a9adf4216bf006fa4ff1f7ffd3d807964372f24a176683b11263660af6bdbe8c89ec3d49ddd591932fdefb87015574dbb64

          Download Submit

        • \Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
          Filesize

          2.2MB

          MD5

          7efbe5bb44e53f5c7d4d479fc9e45881

          SHA1

          06b43571f56a5be74c8b4dd5329c68b758e26ced

          SHA256

          9e877fcc88e80a8a69617e95cd63057d4d4b2c12ffcd9f67fcf926253c949c49

          SHA512

          9f667f583b46e79027f8cac9faa8b90be7122abdd9f58d29ec411607df1c633b952cf5fd1c5350cb124369aba345eecf67c2281416bba75dc4a1e905fe5fb353

          Download Submit

        • \Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
          Filesize

          2.2MB

          MD5

          7efbe5bb44e53f5c7d4d479fc9e45881

          SHA1

          06b43571f56a5be74c8b4dd5329c68b758e26ced

          SHA256

          9e877fcc88e80a8a69617e95cd63057d4d4b2c12ffcd9f67fcf926253c949c49

          SHA512

          9f667f583b46e79027f8cac9faa8b90be7122abdd9f58d29ec411607df1c633b952cf5fd1c5350cb124369aba345eecf67c2281416bba75dc4a1e905fe5fb353

          Download Submit

        • \Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gq1sglk.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\7rRGWbp2QFubHIIyXpI731pznpb2ur6BL65WFaOsRTNcBYMoQud.exe
          Filesize

          2.2MB

          MD5

          7efbe5bb44e53f5c7d4d479fc9e45881

          SHA1

          06b43571f56a5be74c8b4dd5329c68b758e26ced

          SHA256

          9e877fcc88e80a8a69617e95cd63057d4d4b2c12ffcd9f67fcf926253c949c49

          SHA512

          9f667f583b46e79027f8cac9faa8b90be7122abdd9f58d29ec411607df1c633b952cf5fd1c5350cb124369aba345eecf67c2281416bba75dc4a1e905fe5fb353

          Download Submit

        • memory/1028-64-0x0000000000D20000-0x0000000000D4D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1028-65-0x0000000000D20000-0x0000000000D4D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1092-77-0x0000000000000000-mapping.dmp

          Download

        • memory/1092-82-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1128-54-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1128-55-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1808-62-0x0000000000000000-mapping.dmp

          Download

        • memory/1808-66-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1808-79-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2044-56-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

          Filesize

          8KB

          Download