e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347

Analysis

max time kernel
271s
max time network
365s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
Size

169KB
MD5

c73be396733cc019a2cc80de32c49a96
SHA1

ab05376ceb5f175b2791f19cf9e06f7ea9b87d22
SHA256

e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347
SHA512

99852fbfef8e6051987d24faf28019f79a727e8f67f3554ff6bbe3f7d67671e491f3728185fd6c32668468691cfdb71933d1177e8b08a36080a2799204738b87
SSDEEP

3072:V2ACUErMwGYCZmMDlaemxNOpJe52zLTMcU4VG40jrUG4RhOgSvWmznCbW:J9YMlQwRmxIDe5KLTE+Gfjf+N4WmzngW

Score

8^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	mssm.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-54-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/files/0x00090000000126d7-56.dat	upx
behavioral1/files/0x00090000000126d7-57.dat	upx
behavioral1/files/0x00090000000126d7-59.dat	upx
behavioral1/memory/1528-62-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/memory/1940-64-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral1/files/0x00090000000126d7-81.dat	upx
behavioral1/memory/1528-131-0x0000000000400000-0x000000000048D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	mssm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\mssm.exe = "C:\\mssm\\mssm.exe"	mssm.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	mssm.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PhishingFilter	mssm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	mssm.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery	mssm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	mssm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe
1528	mssm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
Token: SeDebugPrivilege	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
Token: SeDebugPrivilege	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
Token: SeDebugPrivilege	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe
Token: SeDebugPrivilege	1528	mssm.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1232	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	15
PID 1940 wrote to memory of 368	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	5
PID 1940 wrote to memory of 416	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	3
PID 1940 wrote to memory of 476	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	1
PID 1940 wrote to memory of 484	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	8
PID 1940 wrote to memory of 600	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	26
PID 1940 wrote to memory of 676	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	25
PID 1940 wrote to memory of 760	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	24
PID 1940 wrote to memory of 816	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	9
PID 1940 wrote to memory of 840	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	23
PID 1940 wrote to memory of 892	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	10
PID 1940 wrote to memory of 292	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	11
PID 1940 wrote to memory of 1036	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	12
PID 1940 wrote to memory of 1092	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	18
PID 1940 wrote to memory of 1128	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	16
PID 1940 wrote to memory of 1180	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	13
PID 1940 wrote to memory of 1232	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	15
PID 1940 wrote to memory of 1656	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	17
PID 1940 wrote to memory of 1928	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	22
PID 1940 wrote to memory of 1280	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	20
PID 1940 wrote to memory of 1312	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	19
PID 1940 wrote to memory of 1528	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	28
PID 1940 wrote to memory of 1528	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	28
PID 1940 wrote to memory of 1528	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	28
PID 1940 wrote to memory of 1528	1940	e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe	28
PID 1528 wrote to memory of 1232	1528	mssm.exe	15
PID 1528 wrote to memory of 368	1528	mssm.exe	5
PID 1528 wrote to memory of 416	1528	mssm.exe	3
PID 1528 wrote to memory of 476	1528	mssm.exe	1
PID 1528 wrote to memory of 484	1528	mssm.exe	8
PID 1528 wrote to memory of 600	1528	mssm.exe	26
PID 1528 wrote to memory of 676	1528	mssm.exe	25
PID 1528 wrote to memory of 760	1528	mssm.exe	24
PID 1528 wrote to memory of 816	1528	mssm.exe	9
PID 1528 wrote to memory of 840	1528	mssm.exe	23
PID 1528 wrote to memory of 892	1528	mssm.exe	10
PID 1528 wrote to memory of 292	1528	mssm.exe	11
PID 1528 wrote to memory of 1036	1528	mssm.exe	12
PID 1528 wrote to memory of 1092	1528	mssm.exe	18
PID 1528 wrote to memory of 1128	1528	mssm.exe	16
PID 1528 wrote to memory of 1180	1528	mssm.exe	13
PID 1528 wrote to memory of 1232	1528	mssm.exe	15
PID 1528 wrote to memory of 1656	1528	mssm.exe	17
PID 1528 wrote to memory of 1928	1528	mssm.exe	22
PID 1528 wrote to memory of 1280	1528	mssm.exe	20
PID 1528 wrote to memory of 1312	1528	mssm.exe	19
PID 1528 wrote to memory of 856	1528	mssm.exe	29
PID 1528 wrote to memory of 1004	1528	mssm.exe	30

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:816
- C:\Windows\system32\Dwm.exe
  "C:\Windows\system32\Dwm.exe"
  2⤵
  PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:892
- \\?\C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:292

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1036

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe
  "C:\Users\Admin\AppData\Local\Temp\e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\mssm\mssm.exe
    "C:\mssm\mssm.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1092

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1312

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:600
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:856
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\mssm\mssm.exe

Filesize
169KB

MD5
c73be396733cc019a2cc80de32c49a96

SHA1
ab05376ceb5f175b2791f19cf9e06f7ea9b87d22

SHA256
e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347

SHA512
99852fbfef8e6051987d24faf28019f79a727e8f67f3554ff6bbe3f7d67671e491f3728185fd6c32668468691cfdb71933d1177e8b08a36080a2799204738b87

Download Submit
C:\mssm\mssm.exe

Filesize
169KB

MD5
c73be396733cc019a2cc80de32c49a96

SHA1
ab05376ceb5f175b2791f19cf9e06f7ea9b87d22

SHA256
e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347

SHA512
99852fbfef8e6051987d24faf28019f79a727e8f67f3554ff6bbe3f7d67671e491f3728185fd6c32668468691cfdb71933d1177e8b08a36080a2799204738b87

Download Submit
\mssm\mssm.exe

Filesize
169KB

MD5
c73be396733cc019a2cc80de32c49a96

SHA1
ab05376ceb5f175b2791f19cf9e06f7ea9b87d22

SHA256
e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347

SHA512
99852fbfef8e6051987d24faf28019f79a727e8f67f3554ff6bbe3f7d67671e491f3728185fd6c32668468691cfdb71933d1177e8b08a36080a2799204738b87

Download Submit
\mssm\mssm.exe

Filesize
169KB

MD5
c73be396733cc019a2cc80de32c49a96

SHA1
ab05376ceb5f175b2791f19cf9e06f7ea9b87d22

SHA256
e2a0b1055bd9d66d25b3d1569ae16af163dbddfc4bb9d36f559cdf26e083a347

SHA512
99852fbfef8e6051987d24faf28019f79a727e8f67f3554ff6bbe3f7d67671e491f3728185fd6c32668468691cfdb71933d1177e8b08a36080a2799204738b87

Download Submit
memory/1232-116-0x000000000BB50000-0x000000000BB9F000-memory.dmp

Filesize
316KB

Download
memory/1232-67-0x000000000BAD0000-0x000000000BB15000-memory.dmp

Filesize
276KB

Download
memory/1528-65-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1528-131-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1528-62-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1528-63-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1528-137-0x0000000000350000-0x0000000000395000-memory.dmp

Filesize
276KB

Download
memory/1528-66-0x0000000000350000-0x0000000000395000-memory.dmp

Filesize
276KB

Download
memory/1528-133-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1528-132-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1940-64-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1940-54-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1940-55-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1940-60-0x0000000000350000-0x00000000003DD000-memory.dmp

Filesize
564KB

Download
memory/1940-61-0x0000000000350000-0x00000000003DD000-memory.dmp

Filesize
564KB

Download