d89d94282170e98d32127e2c87754a1badf527018da2cb9338c3e5e6487e90c2

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
Size

1.0MB
MD5

2e6fcc3e0fec764cd998291edae41835
SHA1

73e8e155eab7cf2512047c49a015c9f347af3186
SHA256

d89d94282170e98d32127e2c87754a1badf527018da2cb9338c3e5e6487e90c2
SHA512

f74431d531e8f0031fd36152df843cd49d50e8a789f90da9c2cf8fa7eb16b50ff02b1487aa17323be7532e9fc2da5f8f6d2b3aa30716e79795ce7812da3d2bd3
SSDEEP

24576:3Arz0IDy1hywvuMn0vvD1Pjh4GoVeT+uaXfBOVgsT3fQm:3/vjf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

1400 dllhost.exe

pid	process
1400	dllhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe

Drops file in System32 directory 11 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe

description	ioc	process
File created	C:\Windows\System32\msobjs\5b884080fd4f94e2695da25c503f9e33b9605b83	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File opened for modification	C:\Windows\System32\microsoft-windows-pdc\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\microsoft-windows-pdc\5940a34987c99120d96dace90a3f93f329dcad63	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\vcomp140\e1ef82546f0b02b7e974f28047f3788b1128cce1	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\TelephonyInteractiveUserRes\RuntimeBroker.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\TelephonyInteractiveUserRes\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\msobjs\fontdrvhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\EhStorAPI\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\EhStorAPI\5940a34987c99120d96dace90a3f93f329dcad63	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\microsoft-windows-pdc\dllhost.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Windows\System32\vcomp140\SppExtComObj.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe

Drops file in Program Files directory 2 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\ja-JP\explorer.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
File created	C:\Program Files\Windows Media Player\ja-JP\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2980	schtasks.exe
372	schtasks.exe
4948	schtasks.exe
2116	schtasks.exe
4996	schtasks.exe
792	schtasks.exe
116	schtasks.exe
2232	schtasks.exe
4876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exedllhost.exe

pid	process
1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
1400	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
Token: SeDebugPrivilege	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
Token: SeDebugPrivilege	1400	dllhost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exeHEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe

description	pid	process	target process
PID 1072 wrote to memory of 2232	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 2232	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 372	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 372	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 4948	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 4948	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 4876	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 4876	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 2116	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 2116	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 4996	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 4996	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1072 wrote to memory of 1924	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
PID 1072 wrote to memory of 1924	1072	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
PID 1924 wrote to memory of 2980	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1924 wrote to memory of 2980	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1924 wrote to memory of 792	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1924 wrote to memory of 792	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1924 wrote to memory of 116	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1924 wrote to memory of 116	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	schtasks.exe
PID 1924 wrote to memory of 1400	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	dllhost.exe
PID 1924 wrote to memory of 1400	1924	HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2232

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\vcomp140\SppExtComObj.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:372

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\TelephonyInteractiveUserRes\RuntimeBroker.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4948

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\msobjs\fontdrvhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4876

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\EhStorAPI\dllhost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4996

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe"
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\microsoft-windows-pdc\dllhost.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\dllhost.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:792

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:116

C:\Windows\Temp\Crashpad\reports\dllhost.exe
"C:\Windows\Temp\Crashpad\reports\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HEUR-Trojan-Spy.MSIL.Stealer.gen-d89d94282170.exe.log
Filesize
1KB

MD5
eca953b5b1742a1c4d912481c10555e5

SHA1
918a2f4a32a9f36604005ac6eb43ad336a7ee536

SHA256
32664077a29dc9c3f43e1cf138fb5a6bd4cbb7e0f2464df4edb04c5f3c86a41c

SHA512
68c37a5f059939bb9278cab0fdd6af51e9a83246c784c04fdf354b16be52a819ac5ce193fda7bcaa69d6655542d499000ec5cae17cb8e0986ab9b675e0a1bb87

Download Submit
C:\Windows\Temp\Crashpad\reports\dllhost.exe
Filesize
1.0MB

MD5
2e6fcc3e0fec764cd998291edae41835

SHA1
73e8e155eab7cf2512047c49a015c9f347af3186

SHA256
d89d94282170e98d32127e2c87754a1badf527018da2cb9338c3e5e6487e90c2

SHA512
f74431d531e8f0031fd36152df843cd49d50e8a789f90da9c2cf8fa7eb16b50ff02b1487aa17323be7532e9fc2da5f8f6d2b3aa30716e79795ce7812da3d2bd3

Download Submit
C:\Windows\Temp\Crashpad\reports\dllhost.exe
Filesize
1.0MB

MD5
2e6fcc3e0fec764cd998291edae41835

SHA1
73e8e155eab7cf2512047c49a015c9f347af3186

SHA256
d89d94282170e98d32127e2c87754a1badf527018da2cb9338c3e5e6487e90c2

SHA512
f74431d531e8f0031fd36152df843cd49d50e8a789f90da9c2cf8fa7eb16b50ff02b1487aa17323be7532e9fc2da5f8f6d2b3aa30716e79795ce7812da3d2bd3

Download Submit
memory/116-146-0x0000000000000000-mapping.dmp

Download
memory/372-135-0x0000000000000000-mapping.dmp

Download
memory/792-145-0x0000000000000000-mapping.dmp

Download
memory/1072-133-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-132-0x0000000000A60000-0x0000000000B6C000-memory.dmp

Filesize
1.0MB

Download
memory/1072-142-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/1400-147-0x0000000000000000-mapping.dmp

Download
memory/1400-151-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/1400-152-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-140-0x0000000000000000-mapping.dmp

Download
memory/1924-143-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-150-0x00007FFA44AE0000-0x00007FFA455A1000-memory.dmp

Filesize
10.8MB

Download
memory/2116-138-0x0000000000000000-mapping.dmp

Download
memory/2232-134-0x0000000000000000-mapping.dmp

Download
memory/2980-144-0x0000000000000000-mapping.dmp

Download
memory/4876-137-0x0000000000000000-mapping.dmp

Download
memory/4948-136-0x0000000000000000-mapping.dmp

Download
memory/4996-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads