d8da845a8c898905376711802d16926d683a4802f5328260a85deb21541280f3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2022, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe
Size

717KB
MD5

89fef8743b5316bdd7724624549ebacb
SHA1

08a4bd1529eab7818a43f70a65e9e2651c4da1b3
SHA256

d8da845a8c898905376711802d16926d683a4802f5328260a85deb21541280f3
SHA512

b92fe1dc5c674fa167f20dbb7ea4203b12ecb612d5c6668e48884180318165ff759e9b22df4100cce649e3431adb13a33a297be7ecbc96af99948bb37e00f508
SSDEEP

12288:51NKGD8fDPkdlL2qzhumqAPZASnCOuCtr/S0YrUmDf6/rUXJBX71YMtDRV:NKGoMzmAPZASnTuOa4if6/4XnJYMF

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 4404	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	91
PID 4404 set thread context of 2584	4404	MSBuild.exe	43
PID 3592 set thread context of 2584	3592	cmstp.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3496	3872	WerFault.exe	94

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1204	powershell.exe
1204	powershell.exe
1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe
1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe
3592	cmstp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4404	MSBuild.exe
Token: SeDebugPrivilege	3592	cmstp.exe
Token: SeShutdownPrivilege	2584	Explorer.EXE
Token: SeCreatePagefilePrivilege	2584	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1204	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	82
PID 1044 wrote to memory of 1204	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	82
PID 1044 wrote to memory of 1204	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	82
PID 1044 wrote to memory of 2336	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	90
PID 1044 wrote to memory of 2336	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	90
PID 1044 wrote to memory of 2336	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	90
PID 1044 wrote to memory of 4404	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	91
PID 1044 wrote to memory of 4404	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	91
PID 1044 wrote to memory of 4404	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	91
PID 1044 wrote to memory of 4404	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	91
PID 1044 wrote to memory of 4404	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	91
PID 1044 wrote to memory of 4404	1044	SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe	91
PID 2584 wrote to memory of 3592	2584	Explorer.EXE	92
PID 2584 wrote to memory of 3592	2584	Explorer.EXE	92
PID 2584 wrote to memory of 3592	2584	Explorer.EXE	92
PID 3592 wrote to memory of 3872	3592	cmstp.exe	94
PID 3592 wrote to memory of 3872	3592	cmstp.exe	94
PID 3592 wrote to memory of 3872	3592	cmstp.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe
    3⤵
    PID:2336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3872
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3872 -s 128
      4⤵
      Program crash
      PID:3496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 3872 -ip 3872
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-132-0x00000000004C0000-0x000000000057A000-memory.dmp

Filesize
744KB

Download
memory/1044-133-0x00000000083F0000-0x0000000008412000-memory.dmp

Filesize
136KB

Download
memory/1204-138-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1204-135-0x00000000025D0000-0x0000000002606000-memory.dmp

Filesize
216KB

Download
memory/1204-136-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/1204-137-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/1204-139-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download
memory/1204-140-0x0000000007280000-0x00000000078FA000-memory.dmp

Filesize
6.5MB

Download
memory/1204-141-0x0000000006C30000-0x0000000006C4A000-memory.dmp

Filesize
104KB

Download
memory/2584-149-0x0000000007900000-0x0000000007A16000-memory.dmp

Filesize
1.1MB

Download
memory/2584-157-0x0000000007A20000-0x0000000007AF9000-memory.dmp

Filesize
868KB

Download
memory/2584-156-0x0000000007A20000-0x0000000007AF9000-memory.dmp

Filesize
868KB

Download
memory/3592-152-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

Filesize
88KB

Download
memory/3592-153-0x00000000027E0000-0x0000000002B2A000-memory.dmp

Filesize
3.3MB

Download
memory/3592-154-0x0000000000840000-0x000000000086D000-memory.dmp

Filesize
180KB

Download
memory/3592-155-0x0000000002570000-0x00000000025FF000-memory.dmp

Filesize
572KB

Download
memory/4404-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-148-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/4404-146-0x0000000001420000-0x000000000176A000-memory.dmp

Filesize
3.3MB

Download
memory/4404-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download