b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc

Analysis

max time kernel
88s
max time network
124s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
Size

436KB
MD5

6562d88856681e5e53c073f394e86da9
SHA1

d8b286bc2cbd0533e8a3f949d89fe51dc59237fe
SHA256

b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc
SHA512

f5eb75a02e7f2ae7cb044852f883c118b6af65ab09734ca2a97ef2ad275c659c03110d362ec33c0c774e7b695fb2a372050ce85bd4ca9f8ce9bfd1162e96d7f7
SSDEEP

12288:anc1wV3MIRTBOUg+LFYWSfWknbX22HZxDjpW2tS49:a2k3pR08LF4Fnbh5xrS

Score

8^/10

bootkit persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
884	0a131764.exe
1776	be45b969.exe
1608	93bc20e1.exe
1924	93bc20e1.exe
692	93bc20e1.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1608-76-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1924-82-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1608-86-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/692-92-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
1608	93bc20e1.exe
1608	93bc20e1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	93bc20e1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\physicaldrive0	be45b969.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1776	be45b969.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
884	0a131764.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 884	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	27
PID 816 wrote to memory of 884	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	27
PID 816 wrote to memory of 884	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	27
PID 816 wrote to memory of 884	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	27
PID 816 wrote to memory of 1776	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	28
PID 816 wrote to memory of 1776	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	28
PID 816 wrote to memory of 1776	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	28
PID 816 wrote to memory of 1776	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	28
PID 816 wrote to memory of 1608	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	29
PID 816 wrote to memory of 1608	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	29
PID 816 wrote to memory of 1608	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	29
PID 816 wrote to memory of 1608	816	b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe	29
PID 1608 wrote to memory of 1924	1608	93bc20e1.exe	30
PID 1608 wrote to memory of 1924	1608	93bc20e1.exe	30
PID 1608 wrote to memory of 1924	1608	93bc20e1.exe	30
PID 1608 wrote to memory of 1924	1608	93bc20e1.exe	30
PID 1608 wrote to memory of 692	1608	93bc20e1.exe	32
PID 1608 wrote to memory of 692	1608	93bc20e1.exe	32
PID 1608 wrote to memory of 692	1608	93bc20e1.exe	32
PID 1608 wrote to memory of 692	1608	93bc20e1.exe	32

C:\Users\Admin\AppData\Local\Temp\b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe
"C:\Users\Admin\AppData\Local\Temp\b01288d58620702beae542e6ff9ab79777e9eb03b7b6780821ad1c765cb333fc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\0a131764.exe
  C:\Users\Admin\AppData\Local\Temp\0a131764.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:884
- C:\Users\Admin\AppData\Local\Temp\be45b969.exe
  C:\Users\Admin\AppData\Local\Temp\be45b969.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe
  C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe
    C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe
    C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0a131764.exe

Filesize
19KB

MD5
42a1116725b4302ffbee833e075e456b

SHA1
1244c20e427ff25c5efd8906d0b23f45b6208a3c

SHA256
fc7b8edf44e4dd5d9010e1c5e8e1838eb6d78c4f71124ca53a6e57b2038a9387

SHA512
3b79bd486a9379aad23e689a72c4ef44e6a2f1f45f23b8d644f2b9e421a0e152805928492bc649a8b478921301996ed65b87c317149fc5ae51b6eda3672ede01

Download Submit
C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\be45b969.exe

Filesize
204KB

MD5
7bc8cbaeb146937037048e0d80abadd1

SHA1
99bfddc34d8583f20d39f5a3a52b527cfd852972

SHA256
3aa82b190a5ab6cb6269b6a6d8474e54ba3ad28d6b03e3e65303a1828366cd6a

SHA512
5597056e21545390a458c303849ba98fa36714fdd64ec781184f981d2654657ce0a7f12b502ab6290d0bbc3e2baf7f313f836f366185f0a47342c5dd1366cbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\be45b969.exe

Filesize
204KB

MD5
7bc8cbaeb146937037048e0d80abadd1

SHA1
99bfddc34d8583f20d39f5a3a52b527cfd852972

SHA256
3aa82b190a5ab6cb6269b6a6d8474e54ba3ad28d6b03e3e65303a1828366cd6a

SHA512
5597056e21545390a458c303849ba98fa36714fdd64ec781184f981d2654657ce0a7f12b502ab6290d0bbc3e2baf7f313f836f366185f0a47342c5dd1366cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\0a131764.exe

Filesize
19KB

MD5
42a1116725b4302ffbee833e075e456b

SHA1
1244c20e427ff25c5efd8906d0b23f45b6208a3c

SHA256
fc7b8edf44e4dd5d9010e1c5e8e1838eb6d78c4f71124ca53a6e57b2038a9387

SHA512
3b79bd486a9379aad23e689a72c4ef44e6a2f1f45f23b8d644f2b9e421a0e152805928492bc649a8b478921301996ed65b87c317149fc5ae51b6eda3672ede01

Download Submit
\Users\Admin\AppData\Local\Temp\0a131764.exe

Filesize
19KB

MD5
42a1116725b4302ffbee833e075e456b

SHA1
1244c20e427ff25c5efd8906d0b23f45b6208a3c

SHA256
fc7b8edf44e4dd5d9010e1c5e8e1838eb6d78c4f71124ca53a6e57b2038a9387

SHA512
3b79bd486a9379aad23e689a72c4ef44e6a2f1f45f23b8d644f2b9e421a0e152805928492bc649a8b478921301996ed65b87c317149fc5ae51b6eda3672ede01

Download Submit
\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
\Users\Admin\AppData\Local\Temp\93bc20e1.exe

Filesize
188KB

MD5
a5384d4dd46646f9240a6d9cbabd499e

SHA1
4848cadc52ae8b9268c607dcfc2a8c4395190eda

SHA256
c88e93fde1c75bf00eed15bba12eba227908b768b902af150212a9723826e9c1

SHA512
4103996e5743d90e68df6aa919f172d22ed2df5de5533eb1195ee3cf1cb409378c0c8152703210b730f67f28a9df0f06eb2b2c2d0106dab22ae2660f6254d74b

Download Submit
\Users\Admin\AppData\Local\Temp\be45b969.exe

Filesize
204KB

MD5
7bc8cbaeb146937037048e0d80abadd1

SHA1
99bfddc34d8583f20d39f5a3a52b527cfd852972

SHA256
3aa82b190a5ab6cb6269b6a6d8474e54ba3ad28d6b03e3e65303a1828366cd6a

SHA512
5597056e21545390a458c303849ba98fa36714fdd64ec781184f981d2654657ce0a7f12b502ab6290d0bbc3e2baf7f313f836f366185f0a47342c5dd1366cbcb

Download Submit
\Users\Admin\AppData\Local\Temp\be45b969.exe

Filesize
204KB

MD5
7bc8cbaeb146937037048e0d80abadd1

SHA1
99bfddc34d8583f20d39f5a3a52b527cfd852972

SHA256
3aa82b190a5ab6cb6269b6a6d8474e54ba3ad28d6b03e3e65303a1828366cd6a

SHA512
5597056e21545390a458c303849ba98fa36714fdd64ec781184f981d2654657ce0a7f12b502ab6290d0bbc3e2baf7f313f836f366185f0a47342c5dd1366cbcb

Download Submit
memory/692-92-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/692-93-0x000000000057F000-0x000000000059D000-memory.dmp

Filesize
120KB

Download
memory/816-68-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/816-66-0x0000000000220000-0x0000000000297000-memory.dmp

Filesize
476KB

Download
memory/884-73-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/884-71-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/884-85-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1608-76-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1608-86-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1608-77-0x00000000005EF000-0x000000000060D000-memory.dmp

Filesize
120KB

Download
memory/1608-87-0x00000000005EF000-0x000000000060D000-memory.dmp

Filesize
120KB

Download
memory/1776-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1776-75-0x00000000001F0000-0x000000000023B000-memory.dmp

Filesize
300KB

Download
memory/1776-74-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1776-67-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1776-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1924-83-0x000000000061F000-0x000000000063D000-memory.dmp

Filesize
120KB

Download
memory/1924-82-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download