a151dc5591395591d37f55a184a3b9f37e1ea1065ad7acdc2ad88b73654e8719

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.6MB
MD5

b96f6d54cc6c0fc6f70780565e946814
SHA1

c6fd19cc433ce18cfd5b0398ce352a1b22dd8c6e
SHA256

a151dc5591395591d37f55a184a3b9f37e1ea1065ad7acdc2ad88b73654e8719
SHA512

5002ed9e77976addb42ec7952d3b238c8859b24008508b370c073c5a4b07e08372f920e2343da3b914bd486cab02562c979c8ef87eae4a8269a99ae7e4be61db
SSDEEP

49152:WPTsqPj9RbRiltgiDMTxr0mAXPst17yNVmliif:W7/RbRizgiD4oukVmlii

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
212	towardlowestpro.exe
1308	towardlowest.exe
640	towardlowest.exe
4080	towardlowest.exe
1744	towardllowest.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	towardlowestpro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 4080	1308	towardlowest.exe	100

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
632	timeout.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1308	towardlowest.exe
1308	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe
4080	towardlowest.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	towardlowest.exe
Token: SeDebugPrivilege	1744	towardllowest.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 212	4140	file.exe	85
PID 4140 wrote to memory of 212	4140	file.exe	85
PID 212 wrote to memory of 1308	212	towardlowestpro.exe	86
PID 212 wrote to memory of 1308	212	towardlowestpro.exe	86
PID 212 wrote to memory of 1308	212	towardlowestpro.exe	86
PID 1308 wrote to memory of 640	1308	towardlowest.exe	99
PID 1308 wrote to memory of 640	1308	towardlowest.exe	99
PID 1308 wrote to memory of 640	1308	towardlowest.exe	99
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 1308 wrote to memory of 4080	1308	towardlowest.exe	100
PID 212 wrote to memory of 1744	212	towardlowestpro.exe	101
PID 212 wrote to memory of 1744	212	towardlowestpro.exe	101
PID 4080 wrote to memory of 4276	4080	towardlowest.exe	103
PID 4080 wrote to memory of 4276	4080	towardlowest.exe	103
PID 4080 wrote to memory of 4276	4080	towardlowest.exe	103
PID 4276 wrote to memory of 632	4276	cmd.exe	105
PID 4276 wrote to memory of 632	4276	cmd.exe	105
PID 4276 wrote to memory of 632	4276	cmd.exe	105
PID 4276 wrote to memory of 4884	4276	cmd.exe	106
PID 4276 wrote to memory of 4884	4276	cmd.exe	106
PID 4276 wrote to memory of 4884	4276	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\towardlowestpro.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\towardlowestpro.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe
      4⤵
      Executes dropped EXE
      PID:640
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=1516543 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe" & erase "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:632
      - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=1516543 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe"
        6⤵
        
        PID:4884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardllowest.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardllowest.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\towardlowestpro.exe

Filesize
1.1MB

MD5
6aa63c3dc744651713d43fd6ddb23844

SHA1
2cd7783caab23497fa09b2d506b45eca541d01f9

SHA256
dacc8488793b931ef6f4f71e5b90601b7957e5e6d5983f798a24f4fa0bee4891

SHA512
950dec063537810d47c254951c151d8c58d9139d08240d521b46ab27e1039ec066acaee79b59ed07d88d5852b5b181b7760dd94fb0b271caaa005ed745b1f558

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardllowest.exe

Filesize
1.4MB

MD5
27d1dfbd6cf71a13d6f864f443a274e1

SHA1
1d39b29938b248715725ceabbdf968821cfa27b4

SHA256
95d725e3e85908eb0c77d2c1b6c349dea2b37e6d7f23436b288155aab4131ff3

SHA512
5bfb4370f67fbceb4e61b6794c0db0a3a9ba7f154fa4d3cc6d9fd378c2a6142d225aa7626b0c73173262e87df9c6744a41d184fea4077040b4f942a4d90665fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardllowest.exe

Filesize
1.4MB

MD5
27d1dfbd6cf71a13d6f864f443a274e1

SHA1
1d39b29938b248715725ceabbdf968821cfa27b4

SHA256
95d725e3e85908eb0c77d2c1b6c349dea2b37e6d7f23436b288155aab4131ff3

SHA512
5bfb4370f67fbceb4e61b6794c0db0a3a9ba7f154fa4d3cc6d9fd378c2a6142d225aa7626b0c73173262e87df9c6744a41d184fea4077040b4f942a4d90665fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe

Filesize
1.4MB

MD5
5fa200d9138c209425068a30b3110293

SHA1
9d03602c20c7af02fd4f4675d5d4a6cb6af0a64b

SHA256
b8c161d15088720da62261b1f5e0f75a87c3509f2350425a1d6baf366e63557a

SHA512
33d2eadc475f375370d55f6cdcbff4799e7eb45b2d793bfeac2f3a45fd48a3b7e3834b50b52ac9bbb74acc2054b1f16293b825e262b37199c7fbd4d7a14dd4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe

Filesize
1.4MB

MD5
5fa200d9138c209425068a30b3110293

SHA1
9d03602c20c7af02fd4f4675d5d4a6cb6af0a64b

SHA256
b8c161d15088720da62261b1f5e0f75a87c3509f2350425a1d6baf366e63557a

SHA512
33d2eadc475f375370d55f6cdcbff4799e7eb45b2d793bfeac2f3a45fd48a3b7e3834b50b52ac9bbb74acc2054b1f16293b825e262b37199c7fbd4d7a14dd4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe

Filesize
1.4MB

MD5
5fa200d9138c209425068a30b3110293

SHA1
9d03602c20c7af02fd4f4675d5d4a6cb6af0a64b

SHA256
b8c161d15088720da62261b1f5e0f75a87c3509f2350425a1d6baf366e63557a

SHA512
33d2eadc475f375370d55f6cdcbff4799e7eb45b2d793bfeac2f3a45fd48a3b7e3834b50b52ac9bbb74acc2054b1f16293b825e262b37199c7fbd4d7a14dd4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowest.exe

Filesize
1.4MB

MD5
5fa200d9138c209425068a30b3110293

SHA1
9d03602c20c7af02fd4f4675d5d4a6cb6af0a64b

SHA256
b8c161d15088720da62261b1f5e0f75a87c3509f2350425a1d6baf366e63557a

SHA512
33d2eadc475f375370d55f6cdcbff4799e7eb45b2d793bfeac2f3a45fd48a3b7e3834b50b52ac9bbb74acc2054b1f16293b825e262b37199c7fbd4d7a14dd4be

Download Submit
memory/1308-18-0x0000000006790000-0x0000000006802000-memory.dmp

Filesize
456KB

Download
memory/1308-17-0x00000000066C0000-0x0000000006744000-memory.dmp

Filesize
528KB

Download
memory/1308-19-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/1308-20-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/1308-21-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/1308-22-0x0000000006EE0000-0x0000000007484000-memory.dmp

Filesize
5.6MB

Download
memory/1308-16-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/1308-15-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/1308-14-0x0000000000A40000-0x0000000000BB8000-memory.dmp

Filesize
1.5MB

Download
memory/1308-13-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/1308-28-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/1744-36-0x00007FFA24B80000-0x00007FFA25641000-memory.dmp

Filesize
10.8MB

Download
memory/1744-37-0x00000200A6CF0000-0x00000200A6D00000-memory.dmp

Filesize
64KB

Download
memory/1744-42-0x00000200A6CF0000-0x00000200A6D00000-memory.dmp

Filesize
64KB

Download
memory/1744-41-0x00007FFA24B80000-0x00007FFA25641000-memory.dmp

Filesize
10.8MB

Download
memory/1744-34-0x000002008C620000-0x000002008C796000-memory.dmp

Filesize
1.5MB

Download
memory/1744-35-0x000002008CB40000-0x000002008CB4A000-memory.dmp

Filesize
40KB

Download
memory/1744-39-0x00000200A7150000-0x00000200A7246000-memory.dmp

Filesize
984KB

Download
memory/1744-38-0x00000200A6F40000-0x00000200A7046000-memory.dmp

Filesize
1.0MB

Download
memory/4080-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4080-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4080-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4080-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4080-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4080-43-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download