696e95844a9769baa7881557abbdc47b44841478d8e24efd05bff804330d9070

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7.exe
Size

288KB
MD5

ea36e1f335ddc3b518fb817b92b2f7e9
SHA1

2a5572b661eab051d4fd9f99e14341351ce9028f
SHA256

961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7
SHA512

7b961d94c1e48def0fbab56a7483555fdac7f20c23985f955b8864a9ed98851767f419884321f451ea473b70d571b2c9163d305bdd4891c73b3468a2cd019e0f
SSDEEP

6144:PYa6vM9nNG/+pJL0esyFnV2nnRh6/ORIURURBZ+aUjHOt+HN9YfeQjj2KQ:PYtMnNG/+XL8yxV2nRsWRIUdawRUeoQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	maduwvg.exe

Executes dropped EXE 2 IoCs

pid	Process
412	maduwvg.exe
3812	maduwvg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 412 set thread context of 3812	412	maduwvg.exe	85
PID 3812 set thread context of 3180	3812	maduwvg.exe	36
PID 3240 set thread context of 3180	3240	wscript.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	3864	WerFault.exe	94

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3812	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
412	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3812	maduwvg.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe
3240	wscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	maduwvg.exe
Token: SeDebugPrivilege	3240	wscript.exe
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 412	2072	961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7.exe	83
PID 2072 wrote to memory of 412	2072	961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7.exe	83
PID 2072 wrote to memory of 412	2072	961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7.exe	83
PID 412 wrote to memory of 3812	412	maduwvg.exe	85
PID 412 wrote to memory of 3812	412	maduwvg.exe	85
PID 412 wrote to memory of 3812	412	maduwvg.exe	85
PID 412 wrote to memory of 3812	412	maduwvg.exe	85
PID 3180 wrote to memory of 3240	3180	Explorer.EXE	86
PID 3180 wrote to memory of 3240	3180	Explorer.EXE	86
PID 3180 wrote to memory of 3240	3180	Explorer.EXE	86
PID 3240 wrote to memory of 3864	3240	wscript.exe	94
PID 3240 wrote to memory of 3864	3240	wscript.exe	94
PID 3240 wrote to memory of 3864	3240	wscript.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7.exe
  "C:\Users\Admin\AppData\Local\Temp\961fefeda3155a237a5cb947701f9b2baaab58b4ed675098c7809984950803c7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\maduwvg.exe
    "C:\Users\Admin\AppData\Local\Temp\maduwvg.exe" C:\Users\Admin\AppData\Local\Temp\tabtxqc.m
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\maduwvg.exe
      "C:\Users\Admin\AppData\Local\Temp\maduwvg.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3812
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3864
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3864 -s 128
      4⤵
      Program crash
      PID:2900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3864 -ip 3864
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jjrobelvro.mu

Filesize
206KB

MD5
e3a345aa46ea157d514b580561444e95

SHA1
2aaebaf58e3090f4a16002614cf076cc5360cabf

SHA256
fe91ec9e626496d0f405ed20d56271a58b664a6e8d07e52fa3bf39a0076567b4

SHA512
77f50396d81aff36bb150252969091e0f54e7659c84dd0fead03982c1a7adb79884cea2ae9f64c0afe766bb20508d8d343430e8327ed91dd0c0e290347847e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\maduwvg.exe

Filesize
85KB

MD5
e4414c98857e824d4181c102aa5b7164

SHA1
6487cf6df5f38028194cffb032ebc0996c8457e0

SHA256
58af24bbcfb5c5ffe94640ccbb2c1f4c22ff3fcafe4170bd672497564adc700f

SHA512
0f09b37daef74b22af43534db8c95fe64872e9f600fa87d4a2efbad37f84546d57c1286b5fef25c5957b17d539a8101eb25d73989b24c25a5dcfea87dd892ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\maduwvg.exe

Filesize
85KB

MD5
e4414c98857e824d4181c102aa5b7164

SHA1
6487cf6df5f38028194cffb032ebc0996c8457e0

SHA256
58af24bbcfb5c5ffe94640ccbb2c1f4c22ff3fcafe4170bd672497564adc700f

SHA512
0f09b37daef74b22af43534db8c95fe64872e9f600fa87d4a2efbad37f84546d57c1286b5fef25c5957b17d539a8101eb25d73989b24c25a5dcfea87dd892ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\maduwvg.exe

Filesize
85KB

MD5
e4414c98857e824d4181c102aa5b7164

SHA1
6487cf6df5f38028194cffb032ebc0996c8457e0

SHA256
58af24bbcfb5c5ffe94640ccbb2c1f4c22ff3fcafe4170bd672497564adc700f

SHA512
0f09b37daef74b22af43534db8c95fe64872e9f600fa87d4a2efbad37f84546d57c1286b5fef25c5957b17d539a8101eb25d73989b24c25a5dcfea87dd892ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\tabtxqc.m

Filesize
5KB

MD5
7d7c23849ea2243cb51e6d094a5d1690

SHA1
09295f3557f57e17b9c3b6c70cdda5b2b0e1aace

SHA256
9411e745c5c403a1198a31547adf8b23fa0aa8c51259ca92dac558c41852986a

SHA512
6aabbe4d9f95754dddff47b63266f74eaf4665894230250698c66576649a8719dbc3dbd2851fdbb2204429c07e33a089475220111eca8407ebc411b52cea97cb

Download Submit
memory/3180-149-0x00000000081D0000-0x00000000082DF000-memory.dmp

Filesize
1.1MB

Download
memory/3180-165-0x0000000006CA0000-0x0000000006D38000-memory.dmp

Filesize
608KB

Download
memory/3180-157-0x0000000006CA0000-0x0000000006D38000-memory.dmp

Filesize
608KB

Download
memory/3240-152-0x00000000006D0000-0x00000000006F7000-memory.dmp

Filesize
156KB

Download
memory/3240-150-0x00000000006D0000-0x00000000006F7000-memory.dmp

Filesize
156KB

Download
memory/3240-154-0x0000000001160000-0x000000000118D000-memory.dmp

Filesize
180KB

Download
memory/3240-155-0x0000000003200000-0x000000000354A000-memory.dmp

Filesize
3.3MB

Download
memory/3240-156-0x0000000003030000-0x00000000030BF000-memory.dmp

Filesize
572KB

Download
memory/3812-148-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/3812-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3812-145-0x0000000000BE0000-0x0000000000F2A000-memory.dmp

Filesize
3.3MB

Download
memory/3812-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3812-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3812-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download