Analysis

  • max time kernel
    151s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 16:42

General

  • Target

    19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe

  • Size

    1.4MB

  • MD5

    31cbddc2dc168ed87f5d7d597f6d054e

  • SHA1

    d3c21ac8038e48c4c53b96c1d37921e28222ddcc

  • SHA256

    19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac

  • SHA512

    014e9562a764f01c29e71556df2c9ae9768e2547e83056d3f5eb3f82693aade10f437c75eee29b8eb841f11019e491408b2ef77fa990c5e239d960f4c605bdb0

  • SSDEEP

    24576:Gwa2WYC3X9ovTzB4uOG6A4Sgt8G0+j4OHISDWjb5IsEi0cTG0tV0EZ:pd8X9Szd76A4S68o31DOm6TG0tV0EZ

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 36 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 27 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe
    "C:\Users\Admin\AppData\Local\Temp\19870ef370bff5ae4b853440fb9e4fa339a4ac4a7ed5eeada1c55e62768f01ac.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1408
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2040
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:1688
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:1140
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1368
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1508
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1344
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
      2⤵
        PID:1440

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

      Filesize

      304KB

      MD5

      955879bca9ff6fc7f313f46581f01210

      SHA1

      fe50013b527a7d6efa69289aa72de944856a3367

      SHA256

      b84f78d691ce336e0ae0910ca187bf732fb664e45c87cac49d52716b1702051c

      SHA512

      66e404f05d674f3ec640a4a308a554fff58571cdac1b48b6ac204e06cdc4a545cc71d03bf3b8e517a1770c88ecd135ecd341980ab6f975ee5611d138d394d9b6

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

      Filesize

      1.2MB

      MD5

      cfc815c95a8a470fab3ca0da89c649aa

      SHA1

      56da8cc1ffad1343c9f5411ba05a4d40e5486dcc

      SHA256

      52de0f75f621ca643e933bc3501a5a05aa240529bc17a42c272922cf21a17750

      SHA512

      e728f1a531996ebb6255e16d8ca177e5cef56020d5cbb5490a1d4aa49959f3378d7954195d7c78de080bd5dd6c262fa8a1abb9e8d67c7760c75e42823ec5f51b

    • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

      Filesize

      304KB

      MD5

      6ca9b516b7f51b10e7d7a92e6b77faed

      SHA1

      028d4c2983052ed68166cbe7111f056012204a7e

      SHA256

      588d9cfd8347b3fbed89983e6d7787349085c19f408b22e32d4c268e3a3aa4f0

      SHA512

      9aa374479d55bdf2350f0d60cd944032cedca557e6b9c293fa48bc8addf3c0c4444dd6ab97b65554b72f1a4dcb5c680d937789e693a29e9a9b0339e7ab4c96cd

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

      Filesize

      223KB

      MD5

      b9916d5a582489f47f6a7b29e107b3c1

      SHA1

      0d5bee90421fe5d935b66ed4d4b20c0c92b773da

      SHA256

      9d67d8b9c0d3da7744b6d841b26f48c796f9f2901552ac95c89a67fa48d2e008

      SHA512

      5f626c4815e0c4b1d9daa2aa7888eecb5710445a87ed3c41701fd592f60d42e4d59516ecc2ab93f0989b840d71be9797ea62520a1aba383986a4ca8b11302d98

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

      Filesize

      223KB

      MD5

      b9916d5a582489f47f6a7b29e107b3c1

      SHA1

      0d5bee90421fe5d935b66ed4d4b20c0c92b773da

      SHA256

      9d67d8b9c0d3da7744b6d841b26f48c796f9f2901552ac95c89a67fa48d2e008

      SHA512

      5f626c4815e0c4b1d9daa2aa7888eecb5710445a87ed3c41701fd592f60d42e4d59516ecc2ab93f0989b840d71be9797ea62520a1aba383986a4ca8b11302d98

    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

      Filesize

      254KB

      MD5

      cdd9ec3e68a1d1e75b6a9b6f2f290584

      SHA1

      4fdfc4cd4c10b5d70791ba1d6bc8097d28bda778

      SHA256

      5b710a4d5f5c49438e6c6086da15bb4d3668d1ac4fe1003f40762f4d9fdccd09

      SHA512

      0138520196d56a85a9bf3b7611d0f432bda61b0fcef96620ac90909806562582a4e30fabf7364aa27b1cda74097e0f2d237e1b7ffad52809e0225e06ad39a12f

    • \??\c:\program files (x86)\microsoft office\office14\groove.exe

      Filesize

      29.7MB

      MD5

      42a992440638a4620f170323cc0edb14

      SHA1

      0b9d496624e5903bd2299cc64f7755397267926a

      SHA256

      b26b094833136c5773ebbc3d2d6e12b3fa9510cd52e1db5f9bb87cfb673386cd

      SHA512

      e554b8308f98976d4792da178d56722b0291757ce6ddda1b3164d466bf78f0fa3e96d3e7f151d69af47ed4be81c79ad42372de127664f7f4e8a71e2a12239a98

    • \??\c:\windows\SysWOW64\searchindexer.exe

      Filesize

      582KB

      MD5

      039361688b23c4f61e019c5c58116564

      SHA1

      c160c2ab45d613a057c2170fbda5e2e207d26548

      SHA256

      a429371b1b5701e61996c012b810ef966a0bfdc6b90d0708bf1ae9e84803f768

      SHA512

      138ce627ae3ef34bdac4e2b93436f356bb35c36a2ef5869129dc6d3f18a6c73048c3389377061a55815be0a87a0250ac67e8705a6817e3a7ad6a40093ea059ee

    • \??\c:\windows\SysWOW64\svchost.exe

      Filesize

      184KB

      MD5

      415818c27267825b0eb9dc88ba7cfc4f

      SHA1

      5adb52656247f0af445f2a96cda0fbf659025221

      SHA256

      fbedfa360d26c4c01addfa69c9bf1e200de2e055c791b92c5f2997f83c069976

      SHA512

      5169e767d97fb9626f1c76b95933ea0e7f1dfc6b636bbdcdd68c2b0e2561670d350d8899e7b090163a5b72cb2e995276c8a6adae7023073adb4b2af1d8e1e347

    • \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

      Filesize

      254KB

      MD5

      cdd9ec3e68a1d1e75b6a9b6f2f290584

      SHA1

      4fdfc4cd4c10b5d70791ba1d6bc8097d28bda778

      SHA256

      5b710a4d5f5c49438e6c6086da15bb4d3668d1ac4fe1003f40762f4d9fdccd09

      SHA512

      0138520196d56a85a9bf3b7611d0f432bda61b0fcef96620ac90909806562582a4e30fabf7364aa27b1cda74097e0f2d237e1b7ffad52809e0225e06ad39a12f

    • memory/360-67-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

      Filesize

      64KB

    • memory/360-83-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

      Filesize

      64KB

    • memory/360-99-0x00000000022F0000-0x00000000022F8000-memory.dmp

      Filesize

      32KB

    • memory/360-102-0x00000000022F0000-0x00000000022F8000-memory.dmp

      Filesize

      32KB

    • memory/360-103-0x00000000023D0000-0x00000000023D8000-memory.dmp

      Filesize

      32KB

    • memory/1344-104-0x0000000000000000-mapping.dmp

    • memory/1368-62-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

      Filesize

      8KB

    • memory/1408-61-0x0000000000400000-0x00000000005AA000-memory.dmp

      Filesize

      1.7MB

    • memory/1408-55-0x0000000000400000-0x00000000005AA000-memory.dmp

      Filesize

      1.7MB

    • memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

      Filesize

      8KB

    • memory/1440-105-0x0000000000000000-mapping.dmp

    • memory/1508-107-0x000000002E000000-0x000000002E091000-memory.dmp

      Filesize

      580KB

    • memory/1508-64-0x000000002E000000-0x000000002E091000-memory.dmp

      Filesize

      580KB

    • memory/1688-60-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

    • memory/2040-58-0x0000000010000000-0x000000001007B000-memory.dmp

      Filesize

      492KB