79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f

Analysis

max time kernel
107s
max time network
89s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
Size

4.8MB
MD5

b9c9b6a1121071dcc3afac7cef10b987
SHA1

7ec4123c506a76eeaf1904a71263953906687cbf
SHA256

79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f
SHA512

ccad975fb3fe467ec16e2951ffada02860817a2b8d2518d9037c590aa533a6d417253fcf2f69d96e82cf28f396b1e8edcc72e7393ddf4f28034b4a1a12cc4fda
SSDEEP

98304:7EK7yYAUDJ4sPgxSAZ5EGh+cDsddihc6TXkBL:txpPHA3DtsdP6TXkB

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	do.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hоsts	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
952	do.exe
896	setup.exe
1872	run.exe
648	csrss.exe

Loads dropped DLL 7 IoCs

pid	Process
1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
952	do.exe
952	do.exe
952	do.exe
1872	run.exe
1872	run.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\init = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\do.exe\" eeyuckl.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
900	taskkill.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://fon.gs/updates/"	run.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://fon.gs/updates/"	csrss.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1668	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
896	setup.exe
896	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	do.exe
896	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 952	1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	28
PID 1612 wrote to memory of 952	1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	28
PID 1612 wrote to memory of 952	1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	28
PID 1612 wrote to memory of 952	1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	28
PID 1612 wrote to memory of 952	1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	28
PID 1612 wrote to memory of 952	1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	28
PID 1612 wrote to memory of 952	1612	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	28
PID 952 wrote to memory of 584	952	do.exe	29
PID 952 wrote to memory of 584	952	do.exe	29
PID 952 wrote to memory of 584	952	do.exe	29
PID 952 wrote to memory of 584	952	do.exe	29
PID 952 wrote to memory of 584	952	do.exe	29
PID 952 wrote to memory of 584	952	do.exe	29
PID 952 wrote to memory of 584	952	do.exe	29
PID 952 wrote to memory of 1516	952	do.exe	31
PID 952 wrote to memory of 1516	952	do.exe	31
PID 952 wrote to memory of 1516	952	do.exe	31
PID 952 wrote to memory of 1516	952	do.exe	31
PID 952 wrote to memory of 1516	952	do.exe	31
PID 952 wrote to memory of 1516	952	do.exe	31
PID 952 wrote to memory of 1516	952	do.exe	31
PID 584 wrote to memory of 844	584	cmd.exe	34
PID 584 wrote to memory of 844	584	cmd.exe	34
PID 584 wrote to memory of 844	584	cmd.exe	34
PID 584 wrote to memory of 844	584	cmd.exe	34
PID 584 wrote to memory of 844	584	cmd.exe	34
PID 584 wrote to memory of 844	584	cmd.exe	34
PID 584 wrote to memory of 844	584	cmd.exe	34
PID 1516 wrote to memory of 1652	1516	cmd.exe	35
PID 1516 wrote to memory of 1652	1516	cmd.exe	35
PID 1516 wrote to memory of 1652	1516	cmd.exe	35
PID 1516 wrote to memory of 1652	1516	cmd.exe	35
PID 1516 wrote to memory of 1652	1516	cmd.exe	35
PID 1516 wrote to memory of 1652	1516	cmd.exe	35
PID 1516 wrote to memory of 1652	1516	cmd.exe	35
PID 584 wrote to memory of 900	584	cmd.exe	36
PID 584 wrote to memory of 900	584	cmd.exe	36
PID 584 wrote to memory of 900	584	cmd.exe	36
PID 584 wrote to memory of 900	584	cmd.exe	36
PID 584 wrote to memory of 900	584	cmd.exe	36
PID 584 wrote to memory of 900	584	cmd.exe	36
PID 584 wrote to memory of 900	584	cmd.exe	36
PID 952 wrote to memory of 896	952	do.exe	33
PID 952 wrote to memory of 896	952	do.exe	33
PID 952 wrote to memory of 896	952	do.exe	33
PID 952 wrote to memory of 896	952	do.exe	33
PID 952 wrote to memory of 896	952	do.exe	33
PID 952 wrote to memory of 896	952	do.exe	33
PID 952 wrote to memory of 896	952	do.exe	33
PID 952 wrote to memory of 1872	952	do.exe	38
PID 952 wrote to memory of 1872	952	do.exe	38
PID 952 wrote to memory of 1872	952	do.exe	38
PID 952 wrote to memory of 1872	952	do.exe	38
PID 952 wrote to memory of 1872	952	do.exe	38
PID 952 wrote to memory of 1872	952	do.exe	38
PID 952 wrote to memory of 1872	952	do.exe	38
PID 1872 wrote to memory of 648	1872	run.exe	39
PID 1872 wrote to memory of 648	1872	run.exe	39
PID 1872 wrote to memory of 648	1872	run.exe	39
PID 1872 wrote to memory of 648	1872	run.exe	39
PID 1872 wrote to memory of 648	1872	run.exe	39
PID 1872 wrote to memory of 648	1872	run.exe	39
PID 1872 wrote to memory of 648	1872	run.exe	39
PID 1872 wrote to memory of 1076	1872	run.exe	40

C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
"C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\do.exe
  "C:\Users\Admin\AppData\Local\Temp\do.exe" ++++++++++eeyuckl.bat+++++setup.exe+++++run.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\eeyuckl.bat" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\chcp.com
      chcp 866
      4⤵
      PID:844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "praetorian.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f
      4⤵
      Adds Run key to start application
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\run.exe
    "C:\Users\Admin\AppData\Local\Temp\run.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\eC6AOi5jKK\csrss.exe
      "C:\Users\Admin\AppData\Local\Temp\eC6AOi5jKK\csrss.exe" open
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer start page
      PID:648
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 8 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\run.exe"
      4⤵
      PID:1076
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 8
        5⤵
        Runs ping.exe
        
        PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
25B

MD5
0bff3c03b40234362688e92c14e23ecf

SHA1
ee591f8bc5f5b1140a1374cfb35e203e10e8264d

SHA256
e1804ee6387dd6adf7301c911634806052012a4696a3e7d221c8a873c7b7a937

SHA512
f188eca19ac1b32dda55fe736fe780cf7f052dc1738c13fd0125b2395e16a050518cddb9513884fd8a3045ddeef9408aa8b83826aa13c148ac7328e24bd15899

Download Submit
C:\Users\Admin\AppData\Local\Temp\do.exe

Filesize
24KB

MD5
eb1de12a58da0bf15b8273b06f8eca48

SHA1
22964d6d42fe3ae5a96acd40b413db3b99f529b5

SHA256
0fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031

SHA512
10d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\eC6AOi5jKK\csrss.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeyuckl.bat

Filesize
4KB

MD5
c977033d1f8799fcd235db0d6bb39696

SHA1
76b87cd7564bea1efbbcb4df130db21ec410232b

SHA256
a6edb44c3f59bbc53678bf7f3f7ad10155773967edd619f59cf63902aeb71a6d

SHA512
c7fd7addea3899d19cb6e5857d5a741758bbc80795e670026ef8f66eecc5a64a47f5cceec88e6dbd8dbaa037ad1bbecd3b185e362f9c9af353a520d9ac2dbc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.0MB

MD5
df06d6da9e8b53be359b89e568b53a10

SHA1
e133bd9638bf02b239e760efd09778fa8951f486

SHA256
3fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e

SHA512
799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.0MB

MD5
df06d6da9e8b53be359b89e568b53a10

SHA1
e133bd9638bf02b239e760efd09778fa8951f486

SHA256
3fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e

SHA512
799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dozshqpt.default-release\prefs.js

Filesize
6KB

MD5
0f038217abdedbc39352f97923c5d114

SHA1
b170f89be4646babb1d7de49cd7cae28c98c23f1

SHA256
ca27b0e02c2e5823225e812b284ed4d4435a96df7d3ec92fd6a139dd156e875f

SHA512
21208a1e24cb012a581ee79c333b77740213881c4c24fd217f97a820fa049ad47ee21a7cc3e0e5678ccc7ebd6f75bf711c34e50f382cf49795b2989cd3a75ba6

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
461B

MD5
a836c22d773f81ff0542ea35a75800a6

SHA1
9bb459e08914ca093d848af5286cc819f5814c03

SHA256
c9f99aaee65c9be36addbf99fc9c61eeba6e7c3ef2c822bf9ac38973801d05c3

SHA512
ef781c7deea8f37937fee78873631456fcb09c6a55103a8063223398d9cedf8147087a0d4819c610257407ddc4027cacf80f2a6d15072b690c56cb4f8c25d24a

Download Submit
\Users\Admin\AppData\Local\Temp\do.exe

Filesize
24KB

MD5
eb1de12a58da0bf15b8273b06f8eca48

SHA1
22964d6d42fe3ae5a96acd40b413db3b99f529b5

SHA256
0fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031

SHA512
10d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49

Download Submit
\Users\Admin\AppData\Local\Temp\do.exe

Filesize
24KB

MD5
eb1de12a58da0bf15b8273b06f8eca48

SHA1
22964d6d42fe3ae5a96acd40b413db3b99f529b5

SHA256
0fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031

SHA512
10d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49

Download Submit
\Users\Admin\AppData\Local\Temp\eC6AOi5jKK\csrss.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
\Users\Admin\AppData\Local\Temp\eC6AOi5jKK\csrss.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
\Users\Admin\AppData\Local\Temp\run.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
\Users\Admin\AppData\Local\Temp\run.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.0MB

MD5
df06d6da9e8b53be359b89e568b53a10

SHA1
e133bd9638bf02b239e760efd09778fa8951f486

SHA256
3fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e

SHA512
799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79

Download Submit
memory/896-84-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/896-86-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/1612-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download