97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27

Analysis

max time kernel
180s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27.exe
Size

1.3MB
MD5

f46a0735735f929ef0d77cd143ff2230
SHA1

9753296b7d5629acbfcfbf661fe17d6255e28089
SHA256

97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27
SHA512

3ea706de6b1506ff1c9362691eeb40e8ee0f0ec10460148a1e99abcef3a8a98679e8e1b7f6235db2b4d1670e93ed429b74e7f61bd6cbef78e09bc0ff0259659d
SSDEEP

24576:JAdHsPcRJ/z/C1tSUB5sqjnhMgeiCl7G0nehbGZpbD:2dsPIbK1tT9Dmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2276	alg.exe
1808	elevation_service.exe
4704	elevation_service.exe
4152	maintenanceservice.exe
3712	OSE.EXE
1732	DiagnosticsHub.StandardCollector.Service.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\934763e7eac8ca73.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{797162D4-34A9-4A3B-9737-A8420260BB6C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4516	97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27.exe
Token: SeShutdownPrivilege	4516	97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27.exe
Token: SeCreatePagefilePrivilege	4516	97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeTakeOwnershipPrivilege	1808	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27.exe
"C:\Users\Admin\AppData\Local\Temp\97194ccb29fbdc6824505481bb5efa241d5618102740b8bfc128d1d6ec320f27.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
501d789ae651b65917e8fa86933fe387

SHA1
744b3afd93de3af9edf77c0f54afa819451ef802

SHA256
8f4d7f589d9817d12329876d0f05a19df515aeb55514af4a3bd35430f401040a

SHA512
f7d237aa29e90e77316e990935fd0340fde6f5b304f20f569546ff4c6146d305330b51a759288cd105999df800bd9a18d866ee8fe1cd0c906b7c8b887d8ffd76

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
924d74b587c6d24e1530ddf2f34d22bf

SHA1
0e29d246c31c7f27128312daed1412c05a56f51a

SHA256
4e214638f6bb6376d23f51a974a36e0e29205ba7a26e1956f020dd2ebfa9f505

SHA512
7287a24e9a8da421c4a1670a0ee0689e1f954f4887d9e085a30984e0094a64701fdb865fa337957dffbf42369a58f0a48607573f6a35528484e6f318ae5a426f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
fa65c216b9948662291bd7986aa4c049

SHA1
b5807310e6d51375b183f856e765c1762e5307d1

SHA256
3f21e471621527f746e888b4fcdd6162cb7c68500266f19075c01ceed1a1bd3f

SHA512
72d9ab1bb90bd1e7c451fbc1d923c52443e92feaf163bf619ecba1a8f5eb2fc0a5825f8d74755a487d9a8053d8834ef90c1caecd274314f042c96ce6f951e733

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
affc637ed04b98c55f076891b955d636

SHA1
83f01a6b38f19171ebcde479be588945a8a4c141

SHA256
0add6a9f136d73e4ae7522676d0fa1b74b2d73c5ecd360d4db67c700e3c25bf9

SHA512
b3e0914a759d3e7c20c5e87c9c29b202074af7298553d5bdb9989887691283d707ce4da3caf38884e5075328f2b0b38f459626a9084c622bdebe5d4e09a13e75

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
46e9c17e88a8efb78d0b3894935e7a6c

SHA1
1ebabd64be4b5105b44cd94d574e42956ade2225

SHA256
a45ad96534f79d12d3a1e9353898b2a3e97a802ec29de97b3fa43cce22358be0

SHA512
ba6aaabba5f975099a2ac0b2af414054fb631990224d5c33f32721a6ba82ac5d69e104fc8a6dc391505b1ae9a450e429d02d5ee9ba8ca2b560efb8abb29d21f6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e9f382b763874f64efee36a94c644dc5

SHA1
852352cfe2345919ac8c600a08d43e1b473522d7

SHA256
30dfeae32c1dab7b1cbd15853691f5a4c9c42ca5b2a9481978b4f6fa83ea237f

SHA512
61ddac39423e420028b65a59a177306da1fcedc0f7d3f80e4ed207e73a7acc04e0f08e7e48e8f17bea13b36c45ab3b6d9bee2edac40b3470087303a543c95f2f

Download Submit
memory/1732-294-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1732-286-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1808-66-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1808-62-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1808-73-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1808-206-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2276-52-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2276-131-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2276-38-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2276-37-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3712-113-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3712-106-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3712-269-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3712-272-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4152-97-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4152-90-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4152-103-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4152-104-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4516-43-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/4516-26-0x00000000017B0000-0x000000000185C000-memory.dmp

Filesize
688KB

Download
memory/4516-29-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/4516-28-0x00000000018C0000-0x0000000002050000-memory.dmp

Filesize
7.6MB

Download
memory/4516-32-0x00000000021F0000-0x000000000228E000-memory.dmp

Filesize
632KB

Download
memory/4516-33-0x0000000002290000-0x00000000022B2000-memory.dmp

Filesize
136KB

Download
memory/4516-34-0x00000000022C0000-0x00000000022EB000-memory.dmp

Filesize
172KB

Download
memory/4516-36-0x00000000022F0000-0x000000000231C000-memory.dmp

Filesize
176KB

Download
memory/4516-39-0x0000000002320000-0x000000000242B000-memory.dmp

Filesize
1.0MB

Download
memory/4516-41-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/4516-30-0x0000000002050000-0x0000000002150000-memory.dmp

Filesize
1024KB

Download
memory/4516-45-0x00000000026B0000-0x00000000026E0000-memory.dmp

Filesize
192KB

Download
memory/4516-47-0x0000000003DB0000-0x0000000003EB8000-memory.dmp

Filesize
1.0MB

Download
memory/4516-49-0x0000000003ED0000-0x0000000003EED000-memory.dmp

Filesize
116KB

Download
memory/4516-54-0x0000000003F00000-0x0000000003F31000-memory.dmp

Filesize
196KB

Download
memory/4516-55-0x0000000003F40000-0x000000000400C000-memory.dmp

Filesize
816KB

Download
memory/4516-58-0x0000000004010000-0x000000000404B000-memory.dmp

Filesize
236KB

Download
memory/4516-63-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4516-67-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/4516-64-0x00000000047F0000-0x000000000480F000-memory.dmp

Filesize
124KB

Download
memory/4516-61-0x0000000004730000-0x00000000047DD000-memory.dmp

Filesize
692KB

Download
memory/4516-59-0x0000000003EF0000-0x0000000003EF8000-memory.dmp

Filesize
32KB

Download
memory/4516-27-0x0000000001860000-0x00000000018B5000-memory.dmp

Filesize
340KB

Download
memory/4516-31-0x0000000002150000-0x00000000021ED000-memory.dmp

Filesize
628KB

Download
memory/4516-22-0x00000000015C0000-0x0000000001761000-memory.dmp

Filesize
1.6MB

Download
memory/4516-25-0x0000000001770000-0x00000000017A3000-memory.dmp

Filesize
204KB

Download
memory/4516-51-0x0000000003EC0000-0x0000000003ECC000-memory.dmp

Filesize
48KB

Download
memory/4516-0-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4516-1-0x0000000003D40000-0x0000000003DA0000-memory.dmp

Filesize
384KB

Download
memory/4516-8-0x0000000003D40000-0x0000000003DA0000-memory.dmp

Filesize
384KB

Download
memory/4516-24-0x0000000001130000-0x000000000117B000-memory.dmp

Filesize
300KB

Download
memory/4516-23-0x0000000000CC0000-0x0000000000CEE000-memory.dmp

Filesize
184KB

Download
memory/4516-21-0x0000000001090000-0x000000000112B000-memory.dmp

Filesize
620KB

Download
memory/4516-19-0x0000000001260000-0x00000000015B5000-memory.dmp

Filesize
3.3MB

Download
memory/4516-20-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4516-18-0x0000000001190000-0x000000000125D000-memory.dmp

Filesize
820KB

Download
memory/4516-17-0x0000000000F30000-0x0000000001086000-memory.dmp

Filesize
1.3MB

Download
memory/4516-16-0x0000000000E00000-0x0000000000F2A000-memory.dmp

Filesize
1.2MB

Download
memory/4516-15-0x0000000000AD0000-0x0000000000B60000-memory.dmp

Filesize
576KB

Download
memory/4516-14-0x0000000000800000-0x0000000000AC9000-memory.dmp

Filesize
2.8MB

Download
memory/4516-11-0x0000000003D40000-0x0000000003DA0000-memory.dmp

Filesize
384KB

Download
memory/4516-13-0x0000000000560000-0x000000000061E000-memory.dmp

Filesize
760KB

Download
memory/4704-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4704-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4704-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4704-78-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download