Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
25-11-2022 15:36
General
-
Target
232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.exe
-
Size
1.7MB
-
MD5
cfc93e127ae1ad3c96ede8c1ae851adc
-
SHA1
5533de5de014062a1b6aecad05f07d73435ebb3b
-
SHA256
232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d
-
SHA512
8ac3b6e400bb172533713e14afc93fc242d3305104464600b2ffa101f05998f26db606ae6740d92518e8ee9de599f613deee7ee4da94c6070b49d3131f96f85c
-
SSDEEP
49152:th1cpLXWaZ0VGPJqv9jxdyQngUbV7+Cdk:d0UVGPJmdxdzngUl+Cdk
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 49 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.exe"C:\Users\Admin\AppData\Local\Temp\232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-E8AUO.tmp\232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.tmp"C:\Users\Admin\AppData\Local\Temp\is-E8AUO.tmp\232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.tmp" /SL5="$70120,1325315,146432,C:\Users\Admin\AppData\Local\Temp\232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\hp_ssh.exe"C:\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\hp_ssh.exe" /VERYSILENT -tk -fid3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-J69VR.tmp\hp_ssh.tmp"C:\Users\Admin\AppData\Local\Temp\is-J69VR.tmp\hp_ssh.tmp" /SL5="$90158,792154,146432,C:\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\hp_ssh.exe" /VERYSILENT -tk -fid4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OJONI.tmp\LabanSetHP.exe"C:\Users\Admin\AppData\Local\Temp\is-OJONI.tmp\LabanSetHP.exe" -url "http://www.laban.vn/?utm_source=ssh&u=868d3416c46bcaa3cd659fed756115e01913&utm_campaign=202211"5⤵
- Executes dropped EXE
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.laban.vn/?utm_source=ssh&a=1&time=25-11-2022-23-20-18&h=061bc155a4860503249241922a98caea5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5eef24660b268b2b8d073ba353673977b
SHA1fca92a163935e81bc0b4645bb28ec477396f177c
SHA2564ef3350ed9a0bee9de55113f1dd6abda300eb33247c32a7ce207b0d354d0df1c
SHA5129c629e4ccc7ea328ce44885c08f4a57e5edc0e55e5769efb247e182d957b6f0ef9ab2d551b889a47aea4ec0173b078de9a30d29563b0e07f19374f0e353cb816
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.datFilesize
5KB
MD5f947bcf5d657ccdae7405ad46ee37fc8
SHA10a4dd19fda806c43cff2bb402a20dc27c9b378d3
SHA2565f2c6683d9f14cb15d7bb80cebf2490b9c1cce48cb3d020fd5593bd8fa411de2
SHA512688ea30ba08b8c06bc48319740eb205a8960f09c3065876e8bf88f865616c44334e84f1f6b8d5002a71dcb44ff4ac06b5e92ee8c0b277f2980b8f4355816c282
-
C:\Users\Admin\AppData\Local\Temp\is-E8AUO.tmp\232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.tmpFilesize
1.1MB
MD56ecdf734b960fbe44aed1d25d832d474
SHA12a4d9f35e753ca019f8c720d124c89b0ec063f35
SHA256468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178
SHA512e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202
-
C:\Users\Admin\AppData\Local\Temp\is-J69VR.tmp\hp_ssh.tmpFilesize
1.1MB
MD56ecdf734b960fbe44aed1d25d832d474
SHA12a4d9f35e753ca019f8c720d124c89b0ec063f35
SHA256468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178
SHA512e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202
-
C:\Users\Admin\AppData\Local\Temp\is-J69VR.tmp\hp_ssh.tmpFilesize
1.1MB
MD56ecdf734b960fbe44aed1d25d832d474
SHA12a4d9f35e753ca019f8c720d124c89b0ec063f35
SHA256468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178
SHA512e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202
-
C:\Users\Admin\AppData\Local\Temp\is-OJONI.tmp\LabanSetHP.exeFilesize
1.7MB
MD5d491a742a2a54416a73b67027940a3e7
SHA14982d92761b50ff30b2b1ae430202f2d3e41b87e
SHA2562b8d01c7db378909bf28697bcbe6f31f5bfd6249ec2897ea07695f3f7a323141
SHA5121ee252bc796587d43150a9587d83a07083444374ac7ae346bbb82013b6b1c270c77a5a654aa55996b20cd049b88af3d1c5c53cb40f0424ece28ba02f25d3aa8b
-
C:\Users\Admin\AppData\Local\Temp\is-OJONI.tmp\LabanSetHP.exeFilesize
1.7MB
MD5d491a742a2a54416a73b67027940a3e7
SHA14982d92761b50ff30b2b1ae430202f2d3e41b87e
SHA2562b8d01c7db378909bf28697bcbe6f31f5bfd6249ec2897ea07695f3f7a323141
SHA5121ee252bc796587d43150a9587d83a07083444374ac7ae346bbb82013b6b1c270c77a5a654aa55996b20cd049b88af3d1c5c53cb40f0424ece28ba02f25d3aa8b
-
C:\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\hp_ssh.exeFilesize
1.2MB
MD5b986bb23472a690424f26f91ecd0e536
SHA167c5e517be834aea2be45a114bd016462ed76bbd
SHA25676c35b5fd8bbf9406a457f5dd62071b76e72d6844d5b6ee7c4374bedb8a1ca21
SHA512a5962c88e88b7c5260efa50ff6563a31f20d1a80913c9ecfc6e2c6d0c765fc3d35bea663afeecaf843c4a12dd7c54748179fa0bcaca020b0e3652a483da05147
-
C:\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\hp_ssh.exeFilesize
1.2MB
MD5b986bb23472a690424f26f91ecd0e536
SHA167c5e517be834aea2be45a114bd016462ed76bbd
SHA25676c35b5fd8bbf9406a457f5dd62071b76e72d6844d5b6ee7c4374bedb8a1ca21
SHA512a5962c88e88b7c5260efa50ff6563a31f20d1a80913c9ecfc6e2c6d0c765fc3d35bea663afeecaf843c4a12dd7c54748179fa0bcaca020b0e3652a483da05147
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8D0UI72P.txtFilesize
607B
MD5e7a9b43a01015d6c7e5b0ee297e043d2
SHA16662505ff5920f81dde23cd440f0904c1f6fcf2b
SHA2566be4cea22701e01e6e4c6451260c307550afdc7afb4a8e0f98bed2460bb1c286
SHA51285db244c5da1548713bd4ebb1a7750b08638b8531bdc7b17d0584b198cf04fd8be90fb787c93005f5d6d36834762aace361d0593a276d397054fd13cafbd496d
-
\Users\Admin\AppData\Local\Temp\is-E8AUO.tmp\232b4e58becd79be3ce78ff0e244e6b193fb0f2feb80880274e04291d029813d.tmpFilesize
1.1MB
MD56ecdf734b960fbe44aed1d25d832d474
SHA12a4d9f35e753ca019f8c720d124c89b0ec063f35
SHA256468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178
SHA512e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202
-
\Users\Admin\AppData\Local\Temp\is-J69VR.tmp\hp_ssh.tmpFilesize
1.1MB
MD56ecdf734b960fbe44aed1d25d832d474
SHA12a4d9f35e753ca019f8c720d124c89b0ec063f35
SHA256468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178
SHA512e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202
-
\Users\Admin\AppData\Local\Temp\is-OJONI.tmp\LabanSetHP.exeFilesize
1.7MB
MD5d491a742a2a54416a73b67027940a3e7
SHA14982d92761b50ff30b2b1ae430202f2d3e41b87e
SHA2562b8d01c7db378909bf28697bcbe6f31f5bfd6249ec2897ea07695f3f7a323141
SHA5121ee252bc796587d43150a9587d83a07083444374ac7ae346bbb82013b6b1c270c77a5a654aa55996b20cd049b88af3d1c5c53cb40f0424ece28ba02f25d3aa8b
-
\Users\Admin\AppData\Local\Temp\is-OJONI.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-OJONI.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-T76CB.tmp\hp_ssh.exeFilesize
1.2MB
MD5b986bb23472a690424f26f91ecd0e536
SHA167c5e517be834aea2be45a114bd016462ed76bbd
SHA25676c35b5fd8bbf9406a457f5dd62071b76e72d6844d5b6ee7c4374bedb8a1ca21
SHA512a5962c88e88b7c5260efa50ff6563a31f20d1a80913c9ecfc6e2c6d0c765fc3d35bea663afeecaf843c4a12dd7c54748179fa0bcaca020b0e3652a483da05147
-
memory/892-77-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/892-67-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/892-85-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/892-64-0x0000000000000000-mapping.dmp
-
memory/944-58-0x0000000000000000-mapping.dmp
-
memory/1120-79-0x0000000000000000-mapping.dmp
-
memory/1248-82-0x0000000074021000-0x0000000074023000-memory.dmpFilesize
8KB
-
memory/1248-71-0x0000000000000000-mapping.dmp
-
memory/1368-76-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1368-86-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/1368-55-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB