a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22

Analysis

max time kernel
88s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/01/2023, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
Size

40KB
MD5

2bf5dd4b257e7ba2b0b3a8a7038cad00
SHA1

1f89e8e1454a2fc889245684e1b31163ea6484fb
SHA256

a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22
SHA512

9d50b5d471daadde4bdb747e30538e13b79c351f10eacb2ccd1c257720df892f3a47a0e0b86a80a7a648c1759306bf0baecdad16cc116f7794b887d55e9ec190
SSDEEP

384:Ja4x96cndO+jvT3pU+j9bF0UoVH5ZMAftXPLURXXkSL09uNuu27RkD3Zn+7Bb:JPM+jLTj9J0ZVZG9RXXkSL10U3pIB

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SearchFilterHost = "cmd /c \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe\" --zxcv"	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
768	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1152	taskkill.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
Token: SeDebugPrivilege	1152	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 276	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	28
PID 1388 wrote to memory of 276	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	28
PID 1388 wrote to memory of 276	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	28
PID 1388 wrote to memory of 276	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	28
PID 1388 wrote to memory of 1000	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	30
PID 1388 wrote to memory of 1000	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	30
PID 1388 wrote to memory of 1000	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	30
PID 1388 wrote to memory of 1000	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	30
PID 1388 wrote to memory of 1976	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	31
PID 1388 wrote to memory of 1976	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	31
PID 1388 wrote to memory of 1976	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	31
PID 1388 wrote to memory of 1976	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	31
PID 1388 wrote to memory of 1736	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	34
PID 1388 wrote to memory of 1736	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	34
PID 1388 wrote to memory of 1736	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	34
PID 1388 wrote to memory of 1736	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	34
PID 1388 wrote to memory of 956	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	35
PID 1388 wrote to memory of 956	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	35
PID 1388 wrote to memory of 956	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	35
PID 1388 wrote to memory of 956	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	35
PID 1388 wrote to memory of 768	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	37
PID 1388 wrote to memory of 768	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	37
PID 1388 wrote to memory of 768	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	37
PID 1388 wrote to memory of 768	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	37
PID 956 wrote to memory of 1144	956	CMD.exe	40
PID 956 wrote to memory of 1144	956	CMD.exe	40
PID 956 wrote to memory of 1144	956	CMD.exe	40
PID 956 wrote to memory of 1144	956	CMD.exe	40
PID 1388 wrote to memory of 1152	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	41
PID 1388 wrote to memory of 1152	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	41
PID 1388 wrote to memory of 1152	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	41
PID 1388 wrote to memory of 1152	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	41
PID 1388 wrote to memory of 932	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	43
PID 1388 wrote to memory of 932	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	43
PID 1388 wrote to memory of 932	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	43
PID 1388 wrote to memory of 932	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	43
PID 1388 wrote to memory of 1824	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	45
PID 1388 wrote to memory of 1824	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	45
PID 1388 wrote to memory of 1824	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	45
PID 1388 wrote to memory of 1824	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	45
PID 1388 wrote to memory of 1792	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	48
PID 1388 wrote to memory of 1792	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	48
PID 1388 wrote to memory of 1792	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	48
PID 1388 wrote to memory of 1792	1388	a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe	48

C:\Users\Admin\AppData\Local\Temp\a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe
"C:\Users\Admin\AppData\Local\Temp\a092f21d9b2f9d54db29cc6a478e2844dcef8b3611561d44cfa6f87c719b1a22.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\CMD.exe
  CMD /C RD %TEMP% /S/Q & MKDIR %TEMP%
  2⤵
  PID:276
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:1000
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:1976
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  PID:1736
- C:\Windows\SysWOW64\CMD.exe
  CMD /C %WINDIR%\sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\system32\reg.exe
    C:\Windows\sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
    3⤵
    - Adds Run key to start application
    PID:1144
- C:\Windows\SysWOW64\sc.exe
  sc delete syshost32
  2⤵
  - Launches sc.exe
  PID:768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im msiexec.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
  2⤵
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
  2⤵
  PID:1824
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1792