b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd

Analysis

max time kernel
151s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
Size

586KB
MD5

3f990390dc8abd28588e1b2c064dcab0
SHA1

a53aa1f5b33531846bcc2370a0b7a74523a285d4
SHA256

b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd
SHA512

b65691bffd82dfc8254ba32559623d5ef0493e034d7f79693fdd0bb62cce11755135b0caddfb8a0d8f9840f0554326849c22532fc1845c41f739418276fc8fec
SSDEEP

12288:dkSEug8eF4vEIaF82hdnWZPkGygCreEyetj9pDBbt1z:uZ8ey5aCqaCreBelFz

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
4124	elevation_service.exe
3372	elevation_service.exe
4872	maintenanceservice.exe
208	OSE.EXE
4464	ssh-agent.exe
1816	AgentService.exe
4316	wbengine.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\L:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\M:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\T:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\U:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\W:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\P:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\S:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\F:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\G:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\H:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\K:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\N:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\I:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\J:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\R:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\X:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\Y:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\E:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\O:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\Q:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened (read-only)	\??\V:	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\vds.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\Agentservice.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\fxssvc.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\locator.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\msdtc.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\wbengine.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\Appvclient.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\msiexec.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\snmptrap.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\java.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\javaw.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\ose.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.vir	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2340	4124	WerFault.exe	83
1664	3372	WerFault.exe	87
4332	4872	WerFault.exe	90
1108	208	WerFault.exe	93
3716	4464	WerFault.exe	97
2432	1816	WerFault.exe	100
3560	4316	WerFault.exe	103

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3440	b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe

C:\Users\Admin\AppData\Local\Temp\b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe
"C:\Users\Admin\AppData\Local\Temp\b2723fab35a2bce8491f26edf352f03b8e81daea11f12286e702756dc278c7fd.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4124
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4124 -s 124
  2⤵
  - Program crash
  PID:2340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 4124 -ip 4124
1⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3372
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3372 -s 116
  2⤵
  - Program crash
  PID:1664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 376 -p 3372 -ip 3372
1⤵
PID:3676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4872 -s 400
  2⤵
  - Program crash
  PID:4332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4872 -ip 4872
1⤵
PID:3648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:208
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 208 -s 188
  2⤵
  - Program crash
  PID:1108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 208 -ip 208
1⤵
PID:1252

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4464 -s 232
  2⤵
  - Program crash
  PID:3716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4464 -ip 4464
1⤵
PID:2036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:1816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1816 -s 392
  2⤵
  - Program crash
  PID:2432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 376 -p 1816 -ip 1816
1⤵
PID:4528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:4316
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4316 -s 476
  2⤵
  - Program crash
  PID:3560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4316 -ip 4316
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3860d2f12830b163147057dd89a0b1b8

SHA1
76ce7b6fcb21510030d49299ba629d9d5e003739

SHA256
2bc9fc53a6c47a5ff4f78ce01653722faf624b456da6d1b6e4eb461e6951c010

SHA512
c327b7677be3387657a83aa055e0ea6f91b673734fb9446f15b0c5fc21610921513497e8b37e0ba43b3ca9c55ff64178e8fbc851d3c9633701395fcead597217

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
738KB

MD5
e92c273d34c87acf170b045a91d3335b

SHA1
ab393570576072ea47c311a1b7e69dc0f1991cee

SHA256
82d427b6fa9272af5454054faccd13c95b162d8fc907912b805d3f35e15ea6ca

SHA512
95b63338c01fdb2d325c0db356dfa5737ea07375b0e6b9a417a78bf1b0f340b5de197636c61914f0cc53e8583b9ee3a0f87ca759af8802d3f9410486bc8a7b59

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
748KB

MD5
a27ea42013d07a8947f63ec17dc55b43

SHA1
57b7349154cc2094cbfffa3b7bca7df09d627f6c

SHA256
02ed51abeeca19b543a7b0f372436253ec993e49bdba53f70b4400517bd738d5

SHA512
6849dd1be4ff3b97d931bcebd4ca5406454cf698f97510d65a0380d40fd496fc5d869b36f9404d90cebda4e357813443e59119d67481c877661948ec9bc7e5a4

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
b1cc6653cb502b5daafc9bfd119fb2ef

SHA1
e027d86dec1cba57cd89cf2979150c326a4566f5

SHA256
5768811ea24976dffa90bf1ed6324551c058e41836a00f66bb693661c5c4fe1b

SHA512
f1238563c908b6f38ebb6300ecea73aaa036e01ae2f9343a85149cd0daac3693b72317b107b1e3ea0132a7b85805561560dc12db9c8113bce7f713e8e40b357d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
79f8ce6774f962ae15c3b4a355a39edb

SHA1
d8504b889251011171980cae9588b3b31b69b89a

SHA256
7226643c1fb1d9f7cfbe86111ab3863b7e64afb1fd964a5a7ee16f4a7262de53

SHA512
aaa9093a54eeb1a6db372d8a8e46c11984f06029b181e4dc7df734197a755d036a42cf96e8f62701af5223462719d889c5c0c6481ddb01ac0a81670765a1bb63

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
c3d7f2f43e1b9c5978e5f146eaa36eef

SHA1
2546a0fe3662d1066642253cc27bc8c6b9705eb5

SHA256
04008e830e64667f9495a352ddaab63c3d1a2947ff1f291a453b50bdfeefb4a3

SHA512
8a6ed29ab1a4e8dff3cba3c4bc912b624595add3a7f1b9d375da0043d0e1c4a2b8867d5cf752da32146783096427c25ba9702eef91c96f19e67057401ca0ad01

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
c3d7f2f43e1b9c5978e5f146eaa36eef

SHA1
2546a0fe3662d1066642253cc27bc8c6b9705eb5

SHA256
04008e830e64667f9495a352ddaab63c3d1a2947ff1f291a453b50bdfeefb4a3

SHA512
8a6ed29ab1a4e8dff3cba3c4bc912b624595add3a7f1b9d375da0043d0e1c4a2b8867d5cf752da32146783096427c25ba9702eef91c96f19e67057401ca0ad01

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4afef8d3baddbc92b9d41b6408889135

SHA1
aef0ac544d50e863435690c2f644af6b0b0f03e3

SHA256
97d291b0857a81f83e4418a1365ca6dded5dca98bd9b8285d0a8e1ced57cdc4c

SHA512
0242c16779cdd9323cda0e65f48e0ac33f599fecc26154507a70d625160dd891c6879c55967783b57d2d03104c01ea11aacc49ef6c74d03a21f132883dca12e0

Download Submit
memory/208-141-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1816-146-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/3372-137-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/3440-133-0x0000000001000000-0x00000000011CF000-memory.dmp

Filesize
1.8MB

Download
memory/3440-132-0x0000000001000000-0x00000000011CF000-memory.dmp

Filesize
1.8MB

Download
memory/4124-135-0x0000000140000000-0x0000000140342000-memory.dmp

Filesize
3.3MB

Download
memory/4316-148-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/4316-149-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/4464-144-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4872-139-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download