7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e

Analysis

max time kernel
151s
max time network
93s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Size

645KB
MD5

b424710b79185ad60748f5b53f9a9ac4
SHA1

f1f297a8368ebf66fca8cf9a1fa834c515a9f73a
SHA256

7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e
SHA512

b6a28c32a32869d72de32588811dc84bd20128a3a4c57d5ce0e5d6f1b2ea7b7f74bbbacf039c180fbe186d9b85cd65af7b723a1239a1134a40f6b2698f531f10
SSDEEP

12288:fpWXo5HX6UAttLUi7AWRyG234MvskU94TRFnYivlfSjsfKG6J34a:fk453hM1pYTIAsYnYYNNb6J

Score

8^/10

aspackv2 spyware stealer

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000013a17-54.dat	aspack_v212_v242
behavioral1/files/0x0006000000014145-55.dat	aspack_v212_v242

Loads dropped DLL 2 IoCs

pid	Process
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CDCLOG.txt	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
File opened for modification	C:\Windows\SysWOW64\CDCLOG.txt	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
File created	C:\Windows\SysWOW64\01F00.dat	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
File opened for modification	C:\Windows\SysWOW64\CDClog.txt	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
File created	C:\Windows\SysWOW64\CBC.bat	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLs	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Token: 33	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
Token: SeIncBasePriorityPrivilege	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1164	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	28
PID 956 wrote to memory of 1164	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	28
PID 956 wrote to memory of 1164	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	28
PID 956 wrote to memory of 1164	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	28
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 1164 wrote to memory of 1040	1164	cmd.exe	31
PID 1164 wrote to memory of 1040	1164	cmd.exe	31
PID 1164 wrote to memory of 1040	1164	cmd.exe	31
PID 1164 wrote to memory of 1040	1164	cmd.exe	31
PID 1164 wrote to memory of 1148	1164	cmd.exe	32
PID 1164 wrote to memory of 1148	1164	cmd.exe	32
PID 1164 wrote to memory of 1148	1164	cmd.exe	32
PID 1164 wrote to memory of 1148	1164	cmd.exe	32
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18
PID 956 wrote to memory of 1312	956	7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe	18

C:\Users\Admin\AppData\Local\Temp\7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe
"C:\Users\Admin\AppData\Local\Temp\7ca121ff5c760f6bfa11594cbe25c3a6fb6c24561de6d3ef1c7b23aeae449f9e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\CBC.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
    3⤵
    PID:1148

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CBC.bat

Filesize
5KB

MD5
8191690bad902792af6cf44a6a69397e

SHA1
fb2e16335b52d52bf083b9d88d4b6762ab0abca8

SHA256
eee3a160f727210c24e6f6fd60fa725e48fceafb089b656799c6c7dbc11b3bb3

SHA512
0db38a368860e7cc184af8f790b4728b433ad2e3975758ef52807ad1c626ef57f851eceaa7c60c157f38af77cc74b8d00e03b429b615403c022a2de728e59085

Download Submit
\Users\Admin\AppData\Local\Temp\D5C141\AyDBBxu.dll

Filesize
480KB

MD5
f40ffec1ffda201b742556e58a78b154

SHA1
745392fb10d1824d1b00b8c16d13d217b4302d8c

SHA256
17a2512c5254caa0d59c061b14aa2086ae9383fa5ce0356d4289f731920d3597

SHA512
bda3b1f9537b0ca8766952decd7e7209213447893103fb9527b2c0d8d5641fef70d645f4451459d29fb55adfd42dcf4f24c8d672e9b4ba7bef946a8f0b0cf79c

Download Submit
\Users\Admin\AppData\Local\Temp\D5C141\slmrwov.dll

Filesize
530KB

MD5
7d041375081662a8dc7e1bc04095185a

SHA1
90c2fa1c0f08490a5104e300bbf8637f356ec077

SHA256
5c066ca9c8fe87eee78e2207da0f89dc87a60ecb3d7b11cf5aa04bdadda118df

SHA512
9cd0beabbb981124b19dbbbb4c2ad0b4be8bdc2309a3d865393233d314824e3aa872fa2c5d00c57a216d8aff7fdab2dd9f7df4fca3e07ffe880f94c20016e510

Download Submit
memory/956-56-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download