6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825f

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe
Size

2.0MB
MD5

a4b8e4817125fd04e27b2040d53d57f1
SHA1

a2cafe7c133271b10a543c21beda9502357edd0f
SHA256

6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825f
SHA512

d368ddf4696568245b76c4477c06350092fbf9b8cca65425d9d9c1c3a823d79ada659d7cd82416019faadef40dc1a53b9a86c70eb9451736c3d320ed83a50907
SSDEEP

24576:slGtfCrr7tAZQl2IuiCfPtNJ+NFDJMnWSCc7cHJ8q2+iVK3kPzmGC72KB860vWy0:s84TCQ3CCGCaKB8X7S7HCovHDwba

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uawhkr = "C:\\Users\\Admin\\AppData\\Roaming\\Uawhkr.exe"	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
944	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe
944	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe
Token: SeDebugPrivilege	944	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28
PID 2656 wrote to memory of 944	2656	6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe
  C:\Users\Admin\AppData\Local\Temp\6a7aa76cd4b680c0900ffd6c6f0885246e7311bfc18885e9d638b06aa945825fexe_JC.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-1154-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/944-1158-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/944-1157-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/944-1156-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/944-1155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-92-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-100-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-62-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-64-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-66-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-68-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-70-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-72-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-74-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-76-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-78-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-80-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-82-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-84-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-86-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-88-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-90-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-53-0x0000000000EE0000-0x00000000010DC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-94-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-96-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-98-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-60-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-102-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-104-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-106-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-108-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-110-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-112-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-114-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-116-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-118-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-120-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-1051-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2656-1134-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2656-1135-0x00000000009F0000-0x0000000000A34000-memory.dmp

Filesize
272KB

Download
memory/2656-1136-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

Filesize
304KB

Download
memory/2656-58-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-1153-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2656-57-0x0000000004EC0000-0x0000000004F84000-memory.dmp

Filesize
784KB

Download
memory/2656-56-0x0000000004EC0000-0x0000000004F8A000-memory.dmp

Filesize
808KB

Download
memory/2656-55-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2656-54-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download