79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f

Analysis

max time kernel
183s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
Size

4.8MB
MD5

b9c9b6a1121071dcc3afac7cef10b987
SHA1

7ec4123c506a76eeaf1904a71263953906687cbf
SHA256

79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f
SHA512

ccad975fb3fe467ec16e2951ffada02860817a2b8d2518d9037c590aa533a6d417253fcf2f69d96e82cf28f396b1e8edcc72e7393ddf4f28034b4a1a12cc4fda
SSDEEP

98304:7EK7yYAUDJ4sPgxSAZ5EGh+cDsddihc6TXkBL:txpPHA3DtsdP6TXkB

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	do.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hоsts	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2704	do.exe
4628	setup.exe
1976	run.exe
4920	csrss.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	do.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	run.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\init = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\do.exe\" eeyuckl.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2128	taskkill.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://fon.gs/updates/"	run.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://fon.gs/updates/"	csrss.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4880	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4628	setup.exe
4628	setup.exe
4628	setup.exe
4628	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	do.exe
4628	setup.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2704	4752	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	78
PID 4752 wrote to memory of 2704	4752	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	78
PID 4752 wrote to memory of 2704	4752	79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe	78
PID 2704 wrote to memory of 3460	2704	do.exe	79
PID 2704 wrote to memory of 3460	2704	do.exe	79
PID 2704 wrote to memory of 3460	2704	do.exe	79
PID 2704 wrote to memory of 4460	2704	do.exe	81
PID 2704 wrote to memory of 4460	2704	do.exe	81
PID 2704 wrote to memory of 4460	2704	do.exe	81
PID 4460 wrote to memory of 4928	4460	cmd.exe	85
PID 4460 wrote to memory of 4928	4460	cmd.exe	85
PID 4460 wrote to memory of 4928	4460	cmd.exe	85
PID 2704 wrote to memory of 4628	2704	do.exe	83
PID 2704 wrote to memory of 4628	2704	do.exe	83
PID 2704 wrote to memory of 4628	2704	do.exe	83
PID 3460 wrote to memory of 388	3460	cmd.exe	84
PID 3460 wrote to memory of 388	3460	cmd.exe	84
PID 3460 wrote to memory of 388	3460	cmd.exe	84
PID 2704 wrote to memory of 1976	2704	do.exe	86
PID 2704 wrote to memory of 1976	2704	do.exe	86
PID 2704 wrote to memory of 1976	2704	do.exe	86
PID 3460 wrote to memory of 2128	3460	cmd.exe	87
PID 3460 wrote to memory of 2128	3460	cmd.exe	87
PID 3460 wrote to memory of 2128	3460	cmd.exe	87
PID 1976 wrote to memory of 4920	1976	run.exe	88
PID 1976 wrote to memory of 4920	1976	run.exe	88
PID 1976 wrote to memory of 4920	1976	run.exe	88
PID 1976 wrote to memory of 1948	1976	run.exe	89
PID 1976 wrote to memory of 1948	1976	run.exe	89
PID 1976 wrote to memory of 1948	1976	run.exe	89
PID 1948 wrote to memory of 4880	1948	cmd.exe	91
PID 1948 wrote to memory of 4880	1948	cmd.exe	91
PID 1948 wrote to memory of 4880	1948	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
"C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\do.exe
  "C:\Users\Admin\AppData\Local\Temp\do.exe" ++++++++++eeyuckl.bat+++++setup.exe+++++run.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeyuckl.bat" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\chcp.com
      chcp 866
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "praetorian.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f
      4⤵
      Adds Run key to start application
      PID:4928
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\run.exe
    "C:\Users\Admin\AppData\Local\Temp\run.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe
      "C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe" open
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer start page
      PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 8 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\run.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 8
        5⤵
        Runs ping.exe
        
        PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
25B

MD5
0bff3c03b40234362688e92c14e23ecf

SHA1
ee591f8bc5f5b1140a1374cfb35e203e10e8264d

SHA256
e1804ee6387dd6adf7301c911634806052012a4696a3e7d221c8a873c7b7a937

SHA512
f188eca19ac1b32dda55fe736fe780cf7f052dc1738c13fd0125b2395e16a050518cddb9513884fd8a3045ddeef9408aa8b83826aa13c148ac7328e24bd15899

Download Submit
C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\do.exe

Filesize
24KB

MD5
eb1de12a58da0bf15b8273b06f8eca48

SHA1
22964d6d42fe3ae5a96acd40b413db3b99f529b5

SHA256
0fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031

SHA512
10d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\do.exe

Filesize
24KB

MD5
eb1de12a58da0bf15b8273b06f8eca48

SHA1
22964d6d42fe3ae5a96acd40b413db3b99f529b5

SHA256
0fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031

SHA512
10d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeyuckl.bat

Filesize
4KB

MD5
c977033d1f8799fcd235db0d6bb39696

SHA1
76b87cd7564bea1efbbcb4df130db21ec410232b

SHA256
a6edb44c3f59bbc53678bf7f3f7ad10155773967edd619f59cf63902aeb71a6d

SHA512
c7fd7addea3899d19cb6e5857d5a741758bbc80795e670026ef8f66eecc5a64a47f5cceec88e6dbd8dbaa037ad1bbecd3b185e362f9c9af353a520d9ac2dbc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.exe

Filesize
285KB

MD5
8657aef0460f31f44db864b3f3a8522c

SHA1
ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

SHA256
919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

SHA512
69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.0MB

MD5
df06d6da9e8b53be359b89e568b53a10

SHA1
e133bd9638bf02b239e760efd09778fa8951f486

SHA256
3fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e

SHA512
799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.0MB

MD5
df06d6da9e8b53be359b89e568b53a10

SHA1
e133bd9638bf02b239e760efd09778fa8951f486

SHA256
3fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e

SHA512
799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\prefs.js

Filesize
6KB

MD5
70151a714506c0707193d324d08fc2ae

SHA1
f80661daa5eed647d91941caaaebde7d6f3f4385

SHA256
542514be4d81a61876b9f1b141d83c9692d2d446f3099a287883f27dd71f6ea2

SHA512
994a72ae8b5779f0e2ca9369a0b3ac2113c35be7681c3c2cfc6a99819f9db4d9978324d50179337ff93722ee992fc6c41f92b82117c40c92444033ecc876c2cf

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
461B

MD5
a836c22d773f81ff0542ea35a75800a6

SHA1
9bb459e08914ca093d848af5286cc819f5814c03

SHA256
c9f99aaee65c9be36addbf99fc9c61eeba6e7c3ef2c822bf9ac38973801d05c3

SHA512
ef781c7deea8f37937fee78873631456fcb09c6a55103a8063223398d9cedf8147087a0d4819c610257407ddc4027cacf80f2a6d15072b690c56cb4f8c25d24a

Download Submit
memory/4628-156-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/4628-158-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download