Analysis

  • max time kernel
    226s
  • max time network
    244s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 07:19

General

  • Target

    593a5888f3112c567f7e32c62e2ce15945c158d17b9da8156442b036392d22c6.exe

  • Size

    250KB

  • MD5

    57337eb844a986d75893d548d90b7206

  • SHA1

    30dbdc2e3c85ab0530e6bbc60a916801eccdb1b7

  • SHA256

    593a5888f3112c567f7e32c62e2ce15945c158d17b9da8156442b036392d22c6

  • SHA512

    31ffe84d30fadb4b249a03dde63fca4f2540964d5f650becb9a90bb0c22e85986c3dc1247e5763d75c2a5d5c5e5e57881f7d25260ffc1303795e7d41c28ad652

  • SSDEEP

    6144:h1OgDPdkBAFZWjadD4s5DqqVN4SxMmpEqHFrInZ:h1OgLdaODqqD4SA+e

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\593a5888f3112c567f7e32c62e2ce15945c158d17b9da8156442b036392d22c6.exe
    "C:\Users\Admin\AppData\Local\Temp\593a5888f3112c567f7e32c62e2ce15945c158d17b9da8156442b036392d22c6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\506b429add9da.exe
      .\506b429add9da.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • System policy modification
      PID:3080

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\wxDownload\506b429adda13.ocx

          Filesize

          151KB

          MD5

          c78c6140cb88ef4dc94f999291bb5ab1

          SHA1

          65b47ed5ec889e0e558c79a13a81193fc59b8ce9

          SHA256

          6cfc7fb43715fb13c53ab2a29b68f3a0a0f285c85d1b1443f2c5e73526646851

          SHA512

          ac8865cb1bec889ba493cad3f4c4bac87bfb2fdb15c518626ffa5f8ac6799a6f5c84f358d3e7d35824d6aba29af46c1078acdf30c3bd93981be61312baf6bd26

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\[email protected]\bootstrap.js

          Filesize

          2KB

          MD5

          bd5c1e55b0963ef2d30c0f344a7aae82

          SHA1

          3073f82d3b7cd94cc36b61e52199b6bee2a93205

          SHA256

          3b9b801bf6d2197e0a5d115d66ce4b0a6d44eb8fced88f2b6f1a3205d17274a7

          SHA512

          6d5f631a8e42d116b50731ab96cc0171b4fbbfbf538e06919d077ebd86e70dfc16275eaf7990444bee3828d7047017fd0bcb51c3066b8f94ce4b5355700c89b4

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\[email protected]\chrome.manifest

          Filesize

          116B

          MD5

          b74fa48a3454cdd07055200e8a9e0dc4

          SHA1

          724e130184bbdd4787c5836d1d05ca0c559b6e8c

          SHA256

          cf2552ab776c8a371a2de0c888d6c451b93435b9952dad70bf6630113a4b860e

          SHA512

          8b6d453c7be488779df06f6a7e743ac26eb5de05e5a11fa67d7981408b5ff7891cb295571b0ef3211bd17af7067b5787966686a70b4f9028a3731dbb3f0d9c13

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\[email protected]\content\bg.js

          Filesize

          8KB

          MD5

          eaa30d35a1abc58bcfd22e6923e194c2

          SHA1

          a2ac380c3863440dd13fd910b3c2ae06b4bbdbd4

          SHA256

          842a2c53e87343623408d3f10aa60328eec44b0643862c94ef933498190902a2

          SHA512

          b9498fd47373d2eb5cb682f98ba3dbc349d869e5bcb10e02d5b67389995d2f997e8c7f3abfed67f306fd0833c30462d010298f87c3c50370f49a1bff912d0d8e

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\[email protected]\content\zy.xul

          Filesize

          225B

          MD5

          630f8ec186862ae3c20fadb17648fe2f

          SHA1

          427d8ec62b4189cece2973a23562820bbc61c4fa

          SHA256

          93b87b42ab23131d6204e8f2bf829a5990abb09808f2fac73ffdb02b109a054f

          SHA512

          3d3242838863cd921708c9a562cb835540d27ba75d42b7f4e37af0e69f6c6001ac41651ce85c8d8b69c227980dbf3f776ddd67edbec6edd693767e9ef81e3719

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\[email protected]\install.rdf

          Filesize

          717B

          MD5

          31412aa8f72acab06f64eb78a896d787

          SHA1

          982c73dd93d20187f2212d2096ef886f9a727a27

          SHA256

          bb9f2fa1ed131da62642cee230dfe9c6a7deec0d5c6e10ebe8eac68190762e7b

          SHA512

          f2dc23a04d3f13fbcc8a0476762d77e572ed9fc9ed0360fd26e583be1c7bd0fac93353b1127c69d62c464d3420029226063a2c777d44848690cd6c2f37de23c2

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\506b429add9da.exe

          Filesize

          65KB

          MD5

          4ccf1a317aa8539c857835e4ebe9c806

          SHA1

          223b73d09d7398f40aff3ccc569e66cae3886ee9

          SHA256

          4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

          SHA512

          ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\506b429add9da.exe

          Filesize

          65KB

          MD5

          4ccf1a317aa8539c857835e4ebe9c806

          SHA1

          223b73d09d7398f40aff3ccc569e66cae3886ee9

          SHA256

          4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

          SHA512

          ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\506b429adda13.ocx

          Filesize

          151KB

          MD5

          c78c6140cb88ef4dc94f999291bb5ab1

          SHA1

          65b47ed5ec889e0e558c79a13a81193fc59b8ce9

          SHA256

          6cfc7fb43715fb13c53ab2a29b68f3a0a0f285c85d1b1443f2c5e73526646851

          SHA512

          ac8865cb1bec889ba493cad3f4c4bac87bfb2fdb15c518626ffa5f8ac6799a6f5c84f358d3e7d35824d6aba29af46c1078acdf30c3bd93981be61312baf6bd26

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\506b429adda4b.html

          Filesize

          4KB

          MD5

          db3466accc8cad892660f23a7fe6496a

          SHA1

          e74c84608fe806d4be8932c763c152f4c86fa868

          SHA256

          e66ac224bb9c422b4d66537f04297e949df489dc2faec87f5f6345e6b6fa9759

          SHA512

          c137443bdc8d0d6085446fa57cc3b759bd95296aeb39cadd3c1e169891416e927a7179f11d37875f680fa7895c427f316e71ca65d21b6ea7947cbd79e9c30e9c

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\506b429adda84.js

          Filesize

          9B

          MD5

          99fa5d714d971a49b67de27e0d8871be

          SHA1

          d0621e846ea60fa8d0b2c8e622e495af49cd7359

          SHA256

          f560d76474380da948a0c5ab8682dc026822d9685268c592f315224b1b968bf6

          SHA512

          2fec19e4f2a974227922a7e057890141523ae73fbfa127f9e8cd00dff71b29abb93cb865c6d74ecf3df8bca440c558d4fbf2f80e82cc9636320ab5edb95ebad5

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\hocmjjdkfkpfpflcpnmchdflcbijejbg.crx

          Filesize

          7KB

          MD5

          769f735bfb8c5aaf6894cf98fae92d71

          SHA1

          a4d8e133969fb16d703063e4a6320fb5a39bd93f

          SHA256

          577073e0672bda0244cace5d2d4b29801524f590f150ee5212f3be5edbb61be8

          SHA512

          f78fea858e857d906d4b3728f5ce01c7a8c34d88eff28ad0b97990f0c863b937ae4764a072fc96594d500d411fbfa1d25257f6b11a4d328b09599eaa9362839a

        • C:\Users\Admin\AppData\Local\Temp\7zSED1F.tmp\settings.ini

          Filesize

          901B

          MD5

          4cd345b2ea654680d8deea532cc69f2b

          SHA1

          7157c3bf8c33b929b5c2c25592201383949b4978

          SHA256

          04db80a0ce1b9da6d0a5fc08f5172a7e25e43ce57cb8870b166f2899875a68ff

          SHA512

          f57d4b7697e37623dd2aa8f4d6ae07262e664199f5cca5389bd8e3cfef23436ead9bbbdffab2a2b1d46fc7bde841cc2727943f147248fe38fac0f18b03a16fdd

        • C:\Users\Admin\AppData\Local\Temp\nsk4523.tmp\UserInfo.dll

          Filesize

          4KB

          MD5

          7579ade7ae1747a31960a228ce02e666

          SHA1

          8ec8571a296737e819dcf86353a43fcf8ec63351

          SHA256

          564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

          SHA512

          a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b