234285bf25600383d245973a6567e7c2acdb125c6471eb377842503fd25239fe

Analysis

max time kernel
37s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft Toolkit.exe
Size

1.1MB
MD5

371736712388ceda55cd2175282bfc86
SHA1

36ae0978ff85f892dfe1cc5a2af5bc3c93b1dfed
SHA256

234285bf25600383d245973a6567e7c2acdb125c6471eb377842503fd25239fe
SHA512

871bd5eae3813c1b4ed7d065d58a394dd8d2d24a835d07dbc1780d57a1a78ac9ca6e839393e7fec69ceffc0e53e3ee3c88e5f23801c0f5aac23288bf4454c50c
SSDEEP

24576:WxG3B/YkCWHVyvK6TqFfx/2tDw/F8WehDPQNv+J:72kCW1m/G/2t0uTFA+J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1252	Microsoft Toolkit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Setup.exe = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Setup.exe = "0"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND\Setup.exe = "0"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1684	1252	Microsoft Toolkit.exe	26
PID 1252 wrote to memory of 1684	1252	Microsoft Toolkit.exe	26
PID 1252 wrote to memory of 1684	1252	Microsoft Toolkit.exe	26
PID 1252 wrote to memory of 1684	1252	Microsoft Toolkit.exe	26
PID 1252 wrote to memory of 1684	1252	Microsoft Toolkit.exe	26
PID 1252 wrote to memory of 1684	1252	Microsoft Toolkit.exe	26
PID 1252 wrote to memory of 1684	1252	Microsoft Toolkit.exe	26

C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Toolkit.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\a2GOkxzZEj\oHz5OXzP\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\a2GOkxzZEj\oHz5OXzP\Setup.exe --relaunch
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2GOkxzZEj\oHz5OXzP\Setup.exe

Filesize
1.1MB

MD5
371736712388ceda55cd2175282bfc86

SHA1
36ae0978ff85f892dfe1cc5a2af5bc3c93b1dfed

SHA256
234285bf25600383d245973a6567e7c2acdb125c6471eb377842503fd25239fe

SHA512
871bd5eae3813c1b4ed7d065d58a394dd8d2d24a835d07dbc1780d57a1a78ac9ca6e839393e7fec69ceffc0e53e3ee3c88e5f23801c0f5aac23288bf4454c50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2GOkxzZEj\oHz5OXzP\Setup.exe

Filesize
1.1MB

MD5
371736712388ceda55cd2175282bfc86

SHA1
36ae0978ff85f892dfe1cc5a2af5bc3c93b1dfed

SHA256
234285bf25600383d245973a6567e7c2acdb125c6471eb377842503fd25239fe

SHA512
871bd5eae3813c1b4ed7d065d58a394dd8d2d24a835d07dbc1780d57a1a78ac9ca6e839393e7fec69ceffc0e53e3ee3c88e5f23801c0f5aac23288bf4454c50c

Download Submit
\Users\Admin\AppData\Local\Temp\a2GOkxzZEj\oHz5OXzP\Setup.exe

Filesize
1.1MB

MD5
371736712388ceda55cd2175282bfc86

SHA1
36ae0978ff85f892dfe1cc5a2af5bc3c93b1dfed

SHA256
234285bf25600383d245973a6567e7c2acdb125c6471eb377842503fd25239fe

SHA512
871bd5eae3813c1b4ed7d065d58a394dd8d2d24a835d07dbc1780d57a1a78ac9ca6e839393e7fec69ceffc0e53e3ee3c88e5f23801c0f5aac23288bf4454c50c

Download Submit
memory/1252-56-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-54-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1252-57-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-63-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-62-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-64-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-65-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-67-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-66-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-69-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-68-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-71-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-70-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-72-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-73-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-74-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-76-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-75-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-77-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-86-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-85-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-84-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-83-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-82-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-81-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-80-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-79-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-78-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-87-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-90-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-89-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-94-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-93-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-92-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-91-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-88-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-101-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-100-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-99-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-98-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-97-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-96-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-95-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-105-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-104-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-103-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-102-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-106-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-107-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-108-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-111-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-112-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-110-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-109-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-113-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-114-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-115-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-117-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download
memory/1252-116-0x0000000001F60000-0x0000000002061000-memory.dmp

Filesize
1.0MB

Download