Analysis
-
max time kernel
173s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 12:31
Behavioral task
behavioral1
Sample
bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe
Resource
win7-20221111-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe
-
Size
151KB
-
MD5
95daa1a89f5f7a641b4499d75880bba9
-
SHA1
03a00f041847ee089913dedb26209a7d5211540b
-
SHA256
bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54
-
SHA512
90087fa0009e14a8bc0dbff2fb5f9f735ce7abbc9dd24392cd802a3d7d470e0a6ae61dd975010e032a1289f5aca852e4f9d2cf67b1604a4604006ab9d89cb41d
-
SSDEEP
3072:CP293QEZb4+9r4DZWPL5nfO1HTOBlMLvwCStq5nKQFia65DXQuEAGdQCY:v93iQL5nfGFvwptAnbFiR5PE1a
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1648-54-0x0000000001000000-0x0000000001053000-memory.dmp upx behavioral1/memory/1648-96-0x0000000001000000-0x0000000001053000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\W: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\F: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\H: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\I: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\L: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\O: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\M: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\Q: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\U: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\X: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\E: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\G: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\J: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\K: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\P: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\Z: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\N: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\R: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\S: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\V: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened (read-only) \??\Y: bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\locator.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File created \??\c:\windows\SysWOW64\searchindexer.vir bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File created \??\c:\windows\SysWOW64\msiexec.vir bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File created \??\c:\windows\SysWOW64\svchost.vir bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File created \??\c:\windows\SysWOW64\dllhost.vir bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\ehome\ehsched.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{45469C47-C668-47E0-9132-38FA1AA24C72}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{45469C47-C668-47E0-9132-38FA1AA24C72}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1648 bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe Token: SeRestorePrivilege 1576 msiexec.exe Token: SeTakeOwnershipPrivilege 1576 msiexec.exe Token: SeSecurityPrivilege 1576 msiexec.exe Token: SeManageVolumePrivilege 928 SearchIndexer.exe Token: 33 928 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 928 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1156 SearchProtocolHost.exe 1156 SearchProtocolHost.exe 1156 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 928 wrote to memory of 1156 928 SearchIndexer.exe 32 PID 928 wrote to memory of 1156 928 SearchIndexer.exe 32 PID 928 wrote to memory of 1156 928 SearchIndexer.exe 32 PID 928 wrote to memory of 1760 928 SearchIndexer.exe 33 PID 928 wrote to memory of 1760 928 SearchIndexer.exe 33 PID 928 wrote to memory of 1760 928 SearchIndexer.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe"C:\Users\Admin\AppData\Local\Temp\bde2059ed0933dab2186563089e76878c29a7b226930f5ec6f24f2ac2130ed54.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:936
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3385717845-2518323428-350143044-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3385717845-2518323428-350143044-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1156
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:1760
-