Analysis

  • max time kernel
    168s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 10:15

General

  • Target

    ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe

  • Size

    512KB

  • MD5

    b63ca533cfdbbbecfba41c4ab916b4fd

  • SHA1

    2ff1cb9bce8f2ee1526ba3ef68a9056ecadb96f5

  • SHA256

    ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d

  • SHA512

    09d53166aefb0e04f87aade925cd12400b733cff28e16fa918dceb08a87a168ece3ae5b9ac39c0a453e7feb0c8e9fa825a7aca449085542de76ea83472d76dbb

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe
    "C:\Users\Admin\AppData\Local\Temp\ad2e4efaf11abc6def2ca304d8789ad2824a75830fced1c35c4f031f53907e0d.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4988
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39e9055 /state1:0x41c64e6d
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3136
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Users\Admin\AppData\Roaming\Microsoft\Word\ErEW2SeiexiLprngu5Of2odgnvFUF.cmd
      "C:\Users\Admin\AppData\Roaming\Microsoft\Word\ErEW2SeiexiLprngu5Of2odgnvFUF.cmd" 1
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Sets file execution options in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\installcache_x64\7qWzVaxpingJhu2iVH04ZlHl5nEtTMHyQjY2H7HwSprDmENYDHkE8xyVG5eOedtMiy8F.exe

    Filesize

    910KB

    MD5

    638b66e961f7e8c5ea1770b4ab265aea

    SHA1

    62d0e7d54337efb5518e29d36fb5f9404d9fb0a1

    SHA256

    b2a98bdfa3a21ebe75a620f61575942278e78fddc895c2ee9844019b384b0fc4

    SHA512

    05cd24db89ae68addbd86baa06d8aef01e39a8a88377252e31e501ec6343cdd666b86c501b7a40d706dc220bf07b34db12ea9b6ba59a3fa497c0d5d3edab3132

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\th\Z9Rjh8ufNvkeAMnboRvVrJS9zJhUDkb74esWWSlKmk8wd5xVu9YyVpzzVYUjx.exe

    Filesize

    693KB

    MD5

    6f5e7e00305083e7bc0f11ae98940e5e

    SHA1

    1e5f7a8878a84adeae56a27e840a8e92933943cd

    SHA256

    c301a693165ba45c6c71ccb07166bfa680c584a1ea190969ad1dffd2d51a483e

    SHA512

    52c7ea3846f58455852456cd08e498fa9ed756348473626b039a128018af00349a0402c5961323ae5e5d7b65fa8248b01b237681bcd680e8a9dd234d1cd4f012

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\lv\xi99oGEVR0XNahtuaDpYY8RZtcCNsk7YSOaOkdQZnhRraMkVAAkINFTQGTtwoKVvzoh5Qc6.exe

    Filesize

    933KB

    MD5

    08b058bcff655dea4aff3e705ed4bec7

    SHA1

    0999933d3656f1c9ed357e5cd031c9f98db91230

    SHA256

    558efeb481b74fd81440d98d7768a522502d03c5a4382c93b0379bc0819af9ff

    SHA512

    4fcc223b893fdeffa7d14c8062de05a597332d9967dd12f19590b14e425f524599539c4ea604ea60bb085f0b935005c9bf4e38971868139aeb67c04e7cdf871f

  • C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\gVGzaSVHq2KFzuYsgWGfB1Zr.exe

    Filesize

    1020KB

    MD5

    29aff335df0aec689a0024911b0f7742

    SHA1

    3b966f6d643a11b7f4673259795e4a1a76b25f83

    SHA256

    fb27b01679d30af567d826cf2961f3b3e639c1d5f19fe449055d47574736ca99

    SHA512

    ab3c2173049c83765103f7c04d6c4d5b4413b3e30292bbfa7b7e3617af9a06448b8f954e7fc371eb304cd8c4da71378f53c3f64825f225335650febda901c1d3

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\RoamingState\Ek6oaUVRcCjZcFaN21EPMfZYvL.exe

    Filesize

    844KB

    MD5

    586aa8898a562a47787ab4255bf64fc7

    SHA1

    4f0877de187996be3ad4cc4a609e06375d154051

    SHA256

    ca62fdcb9ca96147bfded6afbc1b3071f5c4d246a16ba861e2940a38ca2a0cf8

    SHA512

    fefa119ad07038b72cbf3d37793df3062826ee1336d064c43f1a7c21b5a9121394f72568ed9be74a3d0e9f4377bfd22bf2ae6db1cfeae175ac8180ea3f8ceb16

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\IwJe1iQ9OFcmvXrZk0mDDIuxtoskrvxP1syugZly9U2hVj6e6jNI8xzzIUqNHLJniNIo8Z.exe

    Filesize

    663KB

    MD5

    7a904ef97680c4a623d2bcbbaf0cfcbf

    SHA1

    ec0ec5ef881b816bbe6fc7a2d1e9f8a14999c44c

    SHA256

    535a845429799281a61a2fc143b39e7ba6850becc024ccc96a06d1d0b1685f93

    SHA512

    77786cb376ef7efec58d76416ada4bfa87632da94a395e6c34f9504a8f687fe507f1aa4c6aa5d3ce02fdbbf691df318cbcdb16d3e254e330e50caafaa71fe11e

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\PwYWj5tAeNSJ4Nc2dMLGYQZiZhkYzR.exe

    Filesize

    565KB

    MD5

    e6349dc19b346d241acc3e93a9de8c02

    SHA1

    c1c12d3616487dbf0acb112b1b35890add7a6b43

    SHA256

    85c93407f993b9da59d004fd41d15989c65bbb88e82a5ac858a695f8d803d291

    SHA512

    b0512de16e21a9bc1e0473762043e13bb75fc93bf56e09a17ff607c49c400a55b2157cdea5a2e93d2610af7a1c08c8716034362420a9ebf6b9b044a1ac11a555

  • C:\Users\Admin\AppData\Roaming\Microsoft\Word\ErEW2SeiexiLprngu5Of2odgnvFUF.cmd

    Filesize

    600KB

    MD5

    a2cac62baab51f2587478e765d7cf213

    SHA1

    3ff81305e5a65a0d87ca6494b37ef77b7d28e3ae

    SHA256

    dc54f2e43b518274e39aabad62ce3b95e274802b4b348e4b6fb85d91a51ca076

    SHA512

    2f42959584c415cbd715caa595cb710e5f1dbeec71ffb53177a189a8e25d2df1aa4bc172a4053ad3a017818ccea3be2239ac3e95ced87718aba6a051de8174b0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Word\ErEW2SeiexiLprngu5Of2odgnvFUF.cmd

    Filesize

    600KB

    MD5

    a2cac62baab51f2587478e765d7cf213

    SHA1

    3ff81305e5a65a0d87ca6494b37ef77b7d28e3ae

    SHA256

    dc54f2e43b518274e39aabad62ce3b95e274802b4b348e4b6fb85d91a51ca076

    SHA512

    2f42959584c415cbd715caa595cb710e5f1dbeec71ffb53177a189a8e25d2df1aa4bc172a4053ad3a017818ccea3be2239ac3e95ced87718aba6a051de8174b0

  • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\G0AQGJOdbuPSt36A5f.exe

    Filesize

    829KB

    MD5

    75290477f02b6c7f8378de076dcad858

    SHA1

    800c49a2a99abe24e6bd5aacfb0b4a45228e22fa

    SHA256

    f16c65e67ca8fa5c20c9746f0a7131873d263e05309c457e31f9fb4e88fa6133

    SHA512

    7998fa713a753b38390ff648c654e6af2723da96b2f4e6f6515ad0b9ed9442deba6684ab7c87b1961b6b274fa921af62e47af5d3919cc0f92887d3e631ec555d

  • memory/4268-137-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4268-134-0x0000000000000000-mapping.dmp

  • memory/4268-146-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4988-132-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4988-133-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB