Overview

overview

10

Static

static

dabbec6d95...74.exe

windows7-x64

dabbec6d95...74.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe

  • Size

    416KB

  • MD5

    78c159c2f33babf985b4c66a041a4aac

  • SHA1

    c4353452b693db7c4b046042ac798101e2ad101f

  • SHA256

    dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74

  • SHA512

    ae6f50d02c0d54979cf52411684ab04e16ad527957193921c83aa440e299093ee1aefcf5f81a63a17af13658340519401c42961bf9e95b82ae36efb13352d054

  • SSDEEP

    3072:dSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbMtJyVdyw:ssqhJMxzJiU5SeLmNSbMtJU5

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe
    "C:\Users\Admin\AppData\Local\Temp\dabbec6d955900ed10163668d38d407a9f2b02a16b111e916bb10e4c9ed83e74.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1092
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39cf055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1068
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\gSxiQdaTd8mBMucjQuhIukLZqFq.bat
      "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\gSxiQdaTd8mBMucjQuhIukLZqFq.bat" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\Mvv2Fd831RJcqxFE2IcgPdsfz.exe
    Filesize

    474KB

    MD5

    e87b87a55e5df4154827f167120d0058

    SHA1

    1ec54dbc636ef3304bd7dd1b2701d64c2991cbf6

    SHA256

    5e13b222b16d7cfac67d8c3ffb252df61f072ad389a9c01e288f8192b64b8615

    SHA512

    4ce53f02289fefabc2350665256fd8e06d46c8297509b25cf0cb6f36797b9c5df227ee4fc3f9d2fdcb8683c98b59e1df67915f5010aa0c38c15ddeceebd963e8

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\YNux7nj7jSZMOaO4oFqf.exe
    Filesize

    715KB

    MD5

    a8cf746a364e124fc7c8333ab84fe6af

    SHA1

    e98be2d464bb725cd155be3a02f23ab4ebf67332

    SHA256

    a3750402f0c5474a807d7554219fb3dce8ba8f412d636dfda2c1dff63b2ea046

    SHA512

    536387842e7e7ae841c34338a98d77b8d2334076a5f1cafe168219deeb975da9334d3040141b3dcb9c0f2e2dba7334bbee975eb359a636c527dcfb250c96d6ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Comms\Unistore\data\M0Zs3KyFKC9DnolEB.exe
    Filesize

    431KB

    MD5

    01b0219dcfc7746356db589e1ccf0aca

    SHA1

    ce8125eb4cd660fa9ec8f124d0dd4c4bb45208b7

    SHA256

    4d7e6a71e309cbc7b32f589e0c4767eee04c4f04fe41f04dfd36c8e072559540

    SHA512

    3609349d4e7b4910daa37b30089aa52c33cab6a5cf618fe59a3e816b80e87f22720fa0cc9c1354aa90582a491e163bac142ee2419f9210e60b784fd7549e9bd2

    Download Submit
  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\gSxiQdaTd8mBMucjQuhIukLZqFq.bat
    Filesize

    477KB

    MD5

    9c000bf1f6f9de8ebe1f24d0e10f322d

    SHA1

    507b5c669e2ee71d58117b6778660ca3b862601d

    SHA256

    5c35ddadd9b045a84e226457e9d0f5c7026ecd6967f2e7dc1d03855fe3ea16c0

    SHA512

    e56578bf5fe533b22c50e608a1ad76cb654db6efd65cd8e88f1f608c25aefe6544078d180144a04e73989b4e1387e4b4a59883fd05f22977479bfb6d8939f92e

    Download Submit
  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\gSxiQdaTd8mBMucjQuhIukLZqFq.bat
    Filesize

    477KB

    MD5

    9c000bf1f6f9de8ebe1f24d0e10f322d

    SHA1

    507b5c669e2ee71d58117b6778660ca3b862601d

    SHA256

    5c35ddadd9b045a84e226457e9d0f5c7026ecd6967f2e7dc1d03855fe3ea16c0

    SHA512

    e56578bf5fe533b22c50e608a1ad76cb654db6efd65cd8e88f1f608c25aefe6544078d180144a04e73989b4e1387e4b4a59883fd05f22977479bfb6d8939f92e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ja\WtX9qZV6Zigo4uv2hvICOecTy0rWXwkPNtPK0MTE3pMqj1YpAHdV98QjvOU94MCtpT.exe
    Filesize

    680KB

    MD5

    d70e9aafc054837ec344473ff6c8d438

    SHA1

    b6c25ab705ff7c5aafd8dfbf0d16fa50cf177338

    SHA256

    32bb93d075a444534055577d0f72f76398a5ded5ceebe3806a9b78915d41c405

    SHA512

    72e0fa6b1201660a0a74a288e93cdf7f192adfe075e5c71e53aa9f15d32ef8d15faa7d8c621485019bf0298b1fb268e8c337f641451824a6f9d53a3375759e58

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quz-PE\wj8cm0h8YhDmeZGwEPcnarkljjhi4Rp03cOLt62qoIjykPPXZrbYa.exe
    Filesize

    578KB

    MD5

    670dcab4d8b57d7756e94f6a843f7cff

    SHA1

    37818ddd85927000abc5197cc886706d599c8198

    SHA256

    e7513124a679edea9830b82905f12177e386a9794f81f0273ce1054cb066df57

    SHA512

    c3c2670cabdaf70da68205fb33e43fbd267acd39838d47ba1a62ed6631e067a799a97ec0a4b33bca7883c5688ad2376262b74758c520589ceba18efb752af596

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zh-CN\vjKe80zS4y89Dq2JpHDMjxa4Qnz9JIr6.exe
    Filesize

    530KB

    MD5

    0c7f9d34eb54cd212f378c398025dcca

    SHA1

    38ae62cf8ce1d17cace3e712bd8c3972856dc7b3

    SHA256

    862e81be72cb77ef0d98b548ddcdaa78d25295fa9f3998cd04bf1d7b3557f1ec

    SHA512

    32bb085871953f70ae0e5549c9247884c4d731dbb83f769b042f69a74c83039cb534d32dcebf090cf47863097ef8c0491d153f84b5ecfd4bdda8a140c8b58c15

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\input\fr-MA\z5PJFCGj0KVb6VILRtQhZpRzbAYVjM0TPr6Em3qDeXD5bNg3DnIUxMGzjqBCbGyJlYdY.exe
    Filesize

    614KB

    MD5

    8263eab11a8b954a47e03346d0f9c5ac

    SHA1

    cd89a91255136d4703d521c2eea0a2f86da822be

    SHA256

    40e49046374b03b6edad5c5b7f23a781531bae87e43a0f088d5e4352ee7a2425

    SHA512

    c8c3ea6ff84132080895fb5e4fa6b835e5ac3889addb421320c7f37f770cf21e935bb132996046d04fe2550e1a89e652c39cc8326733f7294caa15bc5e9317b5

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\AC\Temp\W9tiD0sStWestoyH5wgd3LffGihuSgVSNCyLhbbyEWS.exe
    Filesize

    693KB

    MD5

    aeae90369054cc8b3b4ec16504700ed1

    SHA1

    48d22c912bcfe94e24e9d0f8e798c60ffffd9568

    SHA256

    8a58d77bae2982f090f9d3468e6f6538a8b931633db8b733204352ff5d68edad

    SHA512

    588b69a2a149b1b6eca594e363f0a9630bc7feb3f11fee87c4cc1f424de82b1fb93f6cf9f8131843d2f43b8fbbe3352756b4350aaa544c66d42ac7c272bf7a94

    Download Submit
  • memory/1092-132-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1092-133-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1388-137-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1388-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1388-146-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download