60f9710d90abd5afa424c219ec72d9f957060373975e91b543e85594876f4a48

Resubmissions

05/06/2023, 16:19

230605-tsga4aab5s 10

05/06/2023, 12:37

230605-ptf99sgf35 10

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/06/2023, 16:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
Size

672KB
MD5

cc8638cd86f89b6713993edca48e37e9
SHA1

90b4da2d23d5df5d29f3a86e9f8383a435126213
SHA256

5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0
SHA512

d9bceb56353ad4b4542fd1ce0237f3bd1b1542d3f7083b243dc1e435cad45f42aabd1a23e2db8c12db299b62ecce4db82a753e9458c6370354469e0b546281aa
SSDEEP

12288:lLYA9TJRcNEFAl/uqzFEqiPTriluFeutSfzoK6e5Zn7qBbQGyVoKMdW:lfJSy2u0EqiHilAeutSfzoK6gZgsCa

Score

10^/10

evasion infostealer_generic persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe

Find unpacked information stealer based on possible SQL query to retrieve broswer data 1 IoCs

Detects infostealer.

infostealer_generic

resource	yara_rule
behavioral1/memory/1824-66-0x0000000000400000-0x000000000046C000-memory.dmp	infostealer_generic_browser_sql

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1668	1824	WerFault.exe	38

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1880	powershell.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
Token: SeLoadDriverPrivilege	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1880	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	27
PID 916 wrote to memory of 1880	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	27
PID 916 wrote to memory of 1880	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	27
PID 916 wrote to memory of 624	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	29
PID 916 wrote to memory of 624	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	29
PID 916 wrote to memory of 624	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	29
PID 916 wrote to memory of 1076	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	30
PID 916 wrote to memory of 1076	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	30
PID 916 wrote to memory of 1076	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	30
PID 916 wrote to memory of 328	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	31
PID 916 wrote to memory of 328	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	31
PID 916 wrote to memory of 328	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	31
PID 916 wrote to memory of 1400	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	32
PID 916 wrote to memory of 1400	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	32
PID 916 wrote to memory of 1400	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	32
PID 916 wrote to memory of 1224	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	33
PID 916 wrote to memory of 1224	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	33
PID 916 wrote to memory of 1224	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	33
PID 916 wrote to memory of 832	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	34
PID 916 wrote to memory of 832	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	34
PID 916 wrote to memory of 832	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	34
PID 916 wrote to memory of 1092	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	35
PID 916 wrote to memory of 1092	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	35
PID 916 wrote to memory of 1092	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	35
PID 916 wrote to memory of 1416	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	36
PID 916 wrote to memory of 1416	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	36
PID 916 wrote to memory of 1416	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	36
PID 916 wrote to memory of 968	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	37
PID 916 wrote to memory of 968	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	37
PID 916 wrote to memory of 968	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	37
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 916 wrote to memory of 1824	916	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe	38
PID 1824 wrote to memory of 1668	1824	SetupUtility.exe	39
PID 1824 wrote to memory of 1668	1824	SetupUtility.exe	39
PID 1824 wrote to memory of 1668	1824	SetupUtility.exe	39
PID 1824 wrote to memory of 1668	1824	SetupUtility.exe	39

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe

C:\Users\Admin\AppData\Local\Temp\5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe
"C:\Users\Admin\AppData\Local\Temp\5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe"
1⤵
- UAC bypass
- Sets service image path in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5593569a8cccb31bf93eaeee499c0af142d9c8ccf3b9169e6ddd24f7e81c95e0.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
  2⤵
  PID:1416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 168
    3⤵
    - Program crash
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-54-0x0000000000EB0000-0x0000000000F5C000-memory.dmp

Filesize
688KB

Download
memory/916-56-0x000000001ACA0000-0x000000001AD20000-memory.dmp

Filesize
512KB

Download
memory/1824-66-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1880-61-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/1880-62-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/1880-63-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1880-64-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1880-65-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download