f6eb53bca5075725d889aa5de1f4541cd764bed2bd46aeefcfa4a1b018b6a4fb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe
Size

282KB
MD5

58b8732ed17532b518bd90b68b934b23
SHA1

dbb672289a9ebde17cb77424615a1c186995d1f3
SHA256

f6eb53bca5075725d889aa5de1f4541cd764bed2bd46aeefcfa4a1b018b6a4fb
SHA512

824e7e7cdccb4d60f72ad70fd73ea8184b1ed7b1d7b2e9a9426ec58380f3f4f769bee8b55d5d8c2450a6bfe37a2f737cc6a88c77e6bf1dde1984edc8c4e3b75c
SSDEEP

6144:Z4CJRQliHM5ZsM5Iszp/znpBIZYJrAHAY7e1+vJmuxt:VuYMx5IshzrInH34+Bmuxt

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exeCaspol.execmstp.exe

description	pid	process	target process
PID 4176 set thread context of 4272	4176	185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe	Caspol.exe
PID 4272 set thread context of 1048	4272	Caspol.exe	Explorer.EXE
PID 4832 set thread context of 1048	4832	cmstp.exe	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1812 1672 WerFault.exe Firefox.exe

pid	pid_target	process	target process
1812	1672	WerFault.exe	Firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Caspol.execmstp.exe

pid	process
4272	Caspol.exe
4272	Caspol.exe
4272	Caspol.exe
4272	Caspol.exe
4272	Caspol.exe
4272	Caspol.exe
4272	Caspol.exe
4272	Caspol.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe
4832	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1048 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Caspol.execmstp.exe

pid process

4272 Caspol.exe
4272 Caspol.exe
4272 Caspol.exe
4832 cmstp.exe
4832 cmstp.exe
4832 cmstp.exe
4832 cmstp.exe

pid	process
1048	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Caspol.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4272	Caspol.exe
Token: SeDebugPrivilege	4832	cmstp.exe
Token: SeShutdownPrivilege	1048	Explorer.EXE
Token: SeCreatePagefilePrivilege	1048	Explorer.EXE
Token: SeShutdownPrivilege	1048	Explorer.EXE
Token: SeCreatePagefilePrivilege	1048	Explorer.EXE
Token: SeShutdownPrivilege	1048	Explorer.EXE
Token: SeCreatePagefilePrivilege	1048	Explorer.EXE
Token: SeShutdownPrivilege	1048	Explorer.EXE
Token: SeCreatePagefilePrivilege	1048	Explorer.EXE
Token: SeShutdownPrivilege	1048	Explorer.EXE
Token: SeCreatePagefilePrivilege	1048	Explorer.EXE
Token: SeShutdownPrivilege	1048	Explorer.EXE
Token: SeCreatePagefilePrivilege	1048	Explorer.EXE
Token: SeShutdownPrivilege	1048	Explorer.EXE
Token: SeCreatePagefilePrivilege	1048	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4176 wrote to memory of 4272	4176	185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe	Caspol.exe
PID 4176 wrote to memory of 4272	4176	185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe	Caspol.exe
PID 4176 wrote to memory of 4272	4176	185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe	Caspol.exe
PID 4176 wrote to memory of 4272	4176	185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe	Caspol.exe
PID 4176 wrote to memory of 4272	4176	185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe	Caspol.exe
PID 4176 wrote to memory of 4272	4176	185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe	Caspol.exe
PID 1048 wrote to memory of 4832	1048	Explorer.EXE	cmstp.exe
PID 1048 wrote to memory of 4832	1048	Explorer.EXE	cmstp.exe
PID 1048 wrote to memory of 4832	1048	Explorer.EXE	cmstp.exe
PID 4832 wrote to memory of 1672	4832	cmstp.exe	Firefox.exe
PID 4832 wrote to memory of 1672	4832	cmstp.exe	Firefox.exe
PID 4832 wrote to memory of 1672	4832	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe
"C:\Users\Admin\AppData\Local\Temp\185.246.220.121_-_vik_-_HHG.exe___58b8732ed17532b518bd90b68b934b23.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4356

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1672 -s 204
4⤵
- Program crash
PID:1812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1672 -ip 1672
1⤵
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-175-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-203-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-147-0x0000000002E00000-0x0000000002EBD000-memory.dmp

Filesize
756KB

Download
memory/1048-148-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-149-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-211-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1048-210-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-209-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-208-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-207-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-206-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-204-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-205-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-174-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-202-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-150-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-152-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-151-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-153-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-154-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-155-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-156-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-157-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-158-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-159-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-160-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-161-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-162-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-163-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-164-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-165-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/1048-166-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/1048-167-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/1048-168-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/1048-169-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/1048-170-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/1048-171-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-172-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-179-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-145-0x0000000002E00000-0x0000000002EBD000-memory.dmp

Filesize
756KB

Download
memory/1048-173-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-176-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-177-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-178-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-139-0x0000000002A60000-0x0000000002B52000-memory.dmp

Filesize
968KB

Download
memory/1048-180-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-181-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-182-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-183-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-184-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-185-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-186-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-187-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-188-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/1048-189-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1048-190-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1048-191-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/1048-192-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1048-193-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1048-194-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-195-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-196-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-197-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-198-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-199-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-200-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/1048-201-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4176-132-0x0000000000A90000-0x0000000000ADC000-memory.dmp

Filesize
304KB

Download
memory/4272-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-137-0x0000000001170000-0x00000000014BA000-memory.dmp

Filesize
3.3MB

Download
memory/4272-138-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/4272-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-133-0x0000000000000000-mapping.dmp

Download
memory/4272-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-140-0x0000000000000000-mapping.dmp

Download
memory/4832-142-0x0000000000500000-0x000000000052D000-memory.dmp

Filesize
180KB

Download
memory/4832-141-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/4832-143-0x00000000024E0000-0x000000000282A000-memory.dmp

Filesize
3.3MB

Download
memory/4832-144-0x0000000002310000-0x000000000239F000-memory.dmp

Filesize
572KB

Download
memory/4832-146-0x0000000000500000-0x000000000052D000-memory.dmp

Filesize
180KB

Download