Overview

overview

10

Static

static

864c60986b...f8.exe

windows7-x64

10

864c60986b...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8.exe

  • Size

    524KB

  • MD5

    06cc29e1aa42737cc69ae959c8780f90

  • SHA1

    5b0b8056b0b3a53ab31160131f7df0126821a4a0

  • SHA256

    864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8

  • SHA512

    9dee67aab7c2c928cc1fe0353861d38dca1071a4163203bbea23c7e42057de768e685c05a7fd3a64a2f91c9d071c2d96713750f54c11c44b708d038da4757ae7

  • SSDEEP

    12288:AMMMMMMMMMMMMMMMMMMvDMMMMMMMMMMMMMMMMMMmWyW985x6joFCI01PoE4BMGGm:AMMMMMMMMMMMMMMMMMMvDMMMMMMMMMMi

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • NirSoft MailPassView 10 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 10 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8.exe
    "C:\Users\Admin\AppData\Local\Temp\864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\PcHealth\PcHealth.exe,explorer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\PcHealth\PcHealth.exe,explorer.exe"
        3⤵
        • Modifies WinLogon for persistence
        PID:988
    • C:\Users\Admin\AppData\Local\Temp\864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8.exe
      "C:\Users\Admin\AppData\Local\Temp\864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8.exe"
      2⤵
        PID:1444
      • C:\Users\Admin\AppData\Local\Temp\864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8.exe
        "C:\Users\Admin\AppData\Local\Temp\864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          3⤵
            PID:824

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Scripting

      1
      T1064

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Roaming\PcHealth\PcHealth.exe
        Filesize

        524KB

        MD5

        06cc29e1aa42737cc69ae959c8780f90

        SHA1

        5b0b8056b0b3a53ab31160131f7df0126821a4a0

        SHA256

        864c60986b6f51d4dc811b9b897865705d1db27e6299fd00d5ce822b4b02d9f8

        SHA512

        9dee67aab7c2c928cc1fe0353861d38dca1071a4163203bbea23c7e42057de768e685c05a7fd3a64a2f91c9d071c2d96713750f54c11c44b708d038da4757ae7

        Download Submit
      • memory/428-74-0x0000000074200000-0x00000000747AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/428-75-0x0000000074200000-0x00000000747AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/428-66-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/428-71-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/428-69-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/428-60-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/428-61-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/428-63-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/428-65-0x0000000000400000-0x000000000048C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/428-67-0x0000000000485ABE-mapping.dmp
        Download
      • memory/428-81-0x00000000023A5000-0x00000000023B6000-memory.dmp
        Filesize

        68KB

        Download
      • memory/824-77-0x0000000000411654-mapping.dmp
        Download
      • memory/824-76-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/824-80-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/824-82-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/988-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1188-73-0x0000000074200000-0x00000000747AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1188-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1188-56-0x0000000074200000-0x00000000747AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1188-55-0x0000000074200000-0x00000000747AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1696-58-0x0000000000000000-mapping.dmp
        Download