Overview

overview

8

Static

static

f9fc23c50b...a3.exe

windows7-x64

8

f9fc23c50b...a3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.exe

  • Size

    1.7MB

  • MD5

    9511f0e4ad12ef2e0650cbec3e184858

  • SHA1

    165e6244713e88bbcb2b47e697c729a94f434641

  • SHA256

    f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3

  • SHA512

    8702da1f98650b8b01537117337cd7f89bee6d136444679a85e619549f5ffbb4220920eac259e6ddd8503205ced555fae74ab66287763c0810f942b1c0eb636a

  • SSDEEP

    24576:IxGGo1AZLh9k8xkF/cTJq5C3RYRxoCAUF6XY/G4QgayCYRK+ILTfBLXSY4Qk:tn1+LhO8xkFkTJq5GCo9n9V7+Cdk

Score
8/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.exe
    "C:\Users\Admin\AppData\Local\Temp\f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\is-DE9AH.tmp\f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DE9AH.tmp\f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.tmp" /SL5="$80022,1324747,146432,C:\Users\Admin\AppData\Local\Temp\f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\is-T313O.tmp\hp_sl_032.exe
        "C:\Users\Admin\AppData\Local\Temp\is-T313O.tmp\hp_sl_032.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Users\Admin\AppData\Local\Temp\is-N458T.tmp\hp_sl_032.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-N458T.tmp\hp_sl_032.tmp" /SL5="$20156,792154,146432,C:\Users\Admin\AppData\Local\Temp\is-T313O.tmp\hp_sl_032.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Users\Admin\AppData\Local\Temp\is-GFVDA.tmp\LabanSetHP.exe
            "C:\Users\Admin\AppData\Local\Temp\is-GFVDA.tmp\LabanSetHP.exe" -url "http://www.laban.vn/?utm_source=sl_032&u=8f66ac15363f7d7f0980079e9bc2fc8951c5&utm_campaign=202211"
            5⤵
            • Executes dropped EXE
            • Modifies Internet Explorer start page
            • Suspicious use of SetWindowsHookEx
            PID:1104
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://www.laban.vn/?utm_source=sl_032&a=1&time=25-11-2022-23-20-18&h=652d43915051bf5be8d06590c89ca568
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:548
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    3dcf580a93972319e82cafbc047d34d5

    SHA1

    8528d2a1363e5de77dc3b1142850e51ead0f4b6b

    SHA256

    40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

    SHA512

    98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cf0b00a0a9fc532840fa7a2b9adf21f2

    SHA1

    d7127fd9e8d3427c9abb46fee2c52ca32b5912b8

    SHA256

    ed49b41a1d0decc3fbf9fbf0f22d864c4b7b3c2f18b9a9ebed40ca4062fffab5

    SHA512

    f86b1c47197e92a7188b96e61d7d3769f3e81b8fe59d264521a332c45b3afa478e1bbfadd416c2791c9d5285ba464e0a7b2cd5946386e42d9183be5e1371dda4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    379014c325293bf8a39e94d89d9a5cec

    SHA1

    19e44e611cc4e3b57bbedf70352498967ac7c83e

    SHA256

    71ae9e8a25101d3cd96a37a3df3e9d5ac4e7b759b19d89fe33bdbff06b247013

    SHA512

    343965727ec67e9240b235c7b449fba601c727807da0acfc7819466e95c71064b94cbb4f8464a768b637c2e88f0f2f5df04c1fa07be3fd1211d22947133e45ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
    Filesize

    5KB

    MD5

    2978d3c8e3dd1b1f0be935192629150e

    SHA1

    ac1e29caa137ab6676df5eb45262b1a2f176ccf7

    SHA256

    90568399ab72a890211843aa227d7b8d1de87274fdf2e121700b1398e0ebea87

    SHA512

    7f5dce60eeb3a173b7951adf132b4a778e6d056075a6c3fbe2dfaf04ddbf2adf6afca01d5f9d128da171173210e6d87697d484008d176861043e50a990db4baf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-DE9AH.tmp\f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.tmp
    Filesize

    1.1MB

    MD5

    6ecdf734b960fbe44aed1d25d832d474

    SHA1

    2a4d9f35e753ca019f8c720d124c89b0ec063f35

    SHA256

    468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178

    SHA512

    e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-GFVDA.tmp\LabanSetHP.exe
    Filesize

    1.7MB

    MD5

    d491a742a2a54416a73b67027940a3e7

    SHA1

    4982d92761b50ff30b2b1ae430202f2d3e41b87e

    SHA256

    2b8d01c7db378909bf28697bcbe6f31f5bfd6249ec2897ea07695f3f7a323141

    SHA512

    1ee252bc796587d43150a9587d83a07083444374ac7ae346bbb82013b6b1c270c77a5a654aa55996b20cd049b88af3d1c5c53cb40f0424ece28ba02f25d3aa8b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-GFVDA.tmp\LabanSetHP.exe
    Filesize

    1.7MB

    MD5

    d491a742a2a54416a73b67027940a3e7

    SHA1

    4982d92761b50ff30b2b1ae430202f2d3e41b87e

    SHA256

    2b8d01c7db378909bf28697bcbe6f31f5bfd6249ec2897ea07695f3f7a323141

    SHA512

    1ee252bc796587d43150a9587d83a07083444374ac7ae346bbb82013b6b1c270c77a5a654aa55996b20cd049b88af3d1c5c53cb40f0424ece28ba02f25d3aa8b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-N458T.tmp\hp_sl_032.tmp
    Filesize

    1.1MB

    MD5

    6ecdf734b960fbe44aed1d25d832d474

    SHA1

    2a4d9f35e753ca019f8c720d124c89b0ec063f35

    SHA256

    468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178

    SHA512

    e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-N458T.tmp\hp_sl_032.tmp
    Filesize

    1.1MB

    MD5

    6ecdf734b960fbe44aed1d25d832d474

    SHA1

    2a4d9f35e753ca019f8c720d124c89b0ec063f35

    SHA256

    468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178

    SHA512

    e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-T313O.tmp\hp_sl_032.exe
    Filesize

    1.2MB

    MD5

    1ad76aa2acbb9ed6c5ab1a7558b7abc9

    SHA1

    7d8a4e9be8b7f14f2aea3e661103576f98180d6c

    SHA256

    e50b30e52888befc8e0820ad2c0a0aa99837dfe0a81fe83632b2bd54148cf51a

    SHA512

    236fc2446564f6a374aca27bbcad682c3e76d2a792d445e8cb62f625592e82e426dc7aa6d23fa4a42ad33d2e74605adc261e3fe18e82611d4e82e2a35fbc0122

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-T313O.tmp\hp_sl_032.exe
    Filesize

    1.2MB

    MD5

    1ad76aa2acbb9ed6c5ab1a7558b7abc9

    SHA1

    7d8a4e9be8b7f14f2aea3e661103576f98180d6c

    SHA256

    e50b30e52888befc8e0820ad2c0a0aa99837dfe0a81fe83632b2bd54148cf51a

    SHA512

    236fc2446564f6a374aca27bbcad682c3e76d2a792d445e8cb62f625592e82e426dc7aa6d23fa4a42ad33d2e74605adc261e3fe18e82611d4e82e2a35fbc0122

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WNFDZA5Z.txt
    Filesize

    607B

    MD5

    e6cb022255b181786ddc7f8c2aaa875d

    SHA1

    888d584d0f0962c551246f87c6ee6f3291da1b64

    SHA256

    fac117718ac22d338e67d0384823c124d1aa0061f12bb80d9cf4ad3f879a4755

    SHA512

    2f0f48c3a4791cda73d75a57914642f816ba8eb4d63b218dcd40d70fabb7413318cc2483ec48e70e59cecacfe1a4cce63dfd4061aad5ddeddbef9bcc7cc9a1aa

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-DE9AH.tmp\f9fc23c50b76e436b45ee9def3a8f03ef5c73e817a293d6ffeb92cdda97179a3.tmp
    Filesize

    1.1MB

    MD5

    6ecdf734b960fbe44aed1d25d832d474

    SHA1

    2a4d9f35e753ca019f8c720d124c89b0ec063f35

    SHA256

    468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178

    SHA512

    e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-GFVDA.tmp\LabanSetHP.exe
    Filesize

    1.7MB

    MD5

    d491a742a2a54416a73b67027940a3e7

    SHA1

    4982d92761b50ff30b2b1ae430202f2d3e41b87e

    SHA256

    2b8d01c7db378909bf28697bcbe6f31f5bfd6249ec2897ea07695f3f7a323141

    SHA512

    1ee252bc796587d43150a9587d83a07083444374ac7ae346bbb82013b6b1c270c77a5a654aa55996b20cd049b88af3d1c5c53cb40f0424ece28ba02f25d3aa8b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-GFVDA.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-GFVDA.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-N458T.tmp\hp_sl_032.tmp
    Filesize

    1.1MB

    MD5

    6ecdf734b960fbe44aed1d25d832d474

    SHA1

    2a4d9f35e753ca019f8c720d124c89b0ec063f35

    SHA256

    468d8f9a4aa098aa8850e57d483858abd5278cdaf5136cfc0c5c3bb3d93b6178

    SHA512

    e69c989938a736f584f7613fce62bdd0526b2a220805880807c984245c5fef473bd879341df75ea4f6aae81862caba1ecd297856d25be8ed9661df711cf80202

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-T313O.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-T313O.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-T313O.tmp\hp_sl_032.exe
    Filesize

    1.2MB

    MD5

    1ad76aa2acbb9ed6c5ab1a7558b7abc9

    SHA1

    7d8a4e9be8b7f14f2aea3e661103576f98180d6c

    SHA256

    e50b30e52888befc8e0820ad2c0a0aa99837dfe0a81fe83632b2bd54148cf51a

    SHA512

    236fc2446564f6a374aca27bbcad682c3e76d2a792d445e8cb62f625592e82e426dc7aa6d23fa4a42ad33d2e74605adc261e3fe18e82611d4e82e2a35fbc0122

    Download Submit
  • memory/756-71-0x0000000000000000-mapping.dmp
    Download
  • memory/756-82-0x0000000074C61000-0x0000000074C63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1104-79-0x0000000000000000-mapping.dmp
    Download
  • memory/1284-86-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1284-76-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1284-55-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1288-58-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-67-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2028-64-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-85-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2028-77-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download