ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 20:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d.exe
Size

2.2MB
MD5

8a2e0a81828a02bf20c36564866d8079
SHA1

207c9b091fd81ef7b629481ba97bcb57b79cd737
SHA256

ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d
SHA512

99b6fe9ead23bd080c6220f3f4a963a8a77484b4a902c6194eab0f8387b9ccbe2eedc8d446ff15da803d96b3c2db454f908a78599ae27c2b3a860a0619ad9cf1
SSDEEP

49152:OwT+SXTS7d71HJdDSdHsRQ2y5tQVy+WjbYe7vFv:Oa+WufpNSdHL2yIVI7Nv

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	gxjl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	gxjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lanshareelf.com	gxjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	gxjl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lanshareelf.com\NumberOfSubdomains = "1"	gxjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	gxjl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	gxjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	gxjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	gxjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	gxjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\lanshareelf.com	gxjl.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.lanshareelf.com	gxjl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.lanshareelf.com\ = "63"	gxjl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\lanshareelf.com\Total = "63"	gxjl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	gxjl.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	gxjl.exe
2008	gxjl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2008	5000	ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d.exe	81
PID 5000 wrote to memory of 2008	5000	ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d.exe	81
PID 5000 wrote to memory of 2008	5000	ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d.exe	81

C:\Users\Admin\AppData\Local\Temp\ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d.exe
"C:\Users\Admin\AppData\Local\Temp\ba8c52f233ee68fc27bb737d6870eb0f40977549443cb4425a5fbeab02caaf4d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\gxjl.exe
  "C:\Users\Admin\AppData\Local\Temp\gxjl.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gxjl.exe

Filesize
1.8MB

MD5
4a560c9ec8d240947a9b7b6bae345dd7

SHA1
52fbccf99b6551f58f6e84bd3b40dea83a8180f4

SHA256
e4f0553711822dbc541b2287fe1f3d187ed1d205e4463c77d6cbeaaa9f777656

SHA512
c45e4882e73cf759fe02664b64cb2592c002fc9d1181ca9c0480d09604d46bd6ac5bc6533271e5c7090684b706b2c84c9c4f393d58fb061e0ab855ab01d656e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxjl.exe

Filesize
1.8MB

MD5
4a560c9ec8d240947a9b7b6bae345dd7

SHA1
52fbccf99b6551f58f6e84bd3b40dea83a8180f4

SHA256
e4f0553711822dbc541b2287fe1f3d187ed1d205e4463c77d6cbeaaa9f777656

SHA512
c45e4882e73cf759fe02664b64cb2592c002fc9d1181ca9c0480d09604d46bd6ac5bc6533271e5c7090684b706b2c84c9c4f393d58fb061e0ab855ab01d656e2

Download Submit