23350615b3fc362fc7c8adcda2e78507a0bd912e0b48f0988058972e95eba22e

Analysis

max time kernel
137s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
24/11/2023, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf031bd09dab5037a32e95290bef27d0.exe
Size

1.1MB
MD5

bf031bd09dab5037a32e95290bef27d0
SHA1

2608e6d61087f9fbeb1149c57428eb00963cb37c
SHA256

23350615b3fc362fc7c8adcda2e78507a0bd912e0b48f0988058972e95eba22e
SHA512

0787396eecaaae4a9d08cba1745ad2492117de82a3007d31467a71ca86d1613d5b3cd960a69f20cada91da4da2907e6e7d63da57a513aff7ace2d0d0a40c310e
SSDEEP

24576:2TbBv5rUyXV/vTn+4EkEZxTJMA+o3iE0n7162:IBJnTn+4EkgmA+o3K73

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2452	serverwebSavesmonitorDhcp.exe
1956	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\en-US\audiodg.exe	serverwebSavesmonitorDhcp.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\42af1c969fbb7b	serverwebSavesmonitorDhcp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\Heritage\wininit.exe	serverwebSavesmonitorDhcp.exe
File created	C:\Windows\Media\Heritage\56085415360792	serverwebSavesmonitorDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1940	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2608	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe
2452	serverwebSavesmonitorDhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1956	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	serverwebSavesmonitorDhcp.exe
Token: SeDebugPrivilege	1956	wininit.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1100	2496	bf031bd09dab5037a32e95290bef27d0.exe	28
PID 2496 wrote to memory of 1100	2496	bf031bd09dab5037a32e95290bef27d0.exe	28
PID 2496 wrote to memory of 1100	2496	bf031bd09dab5037a32e95290bef27d0.exe	28
PID 2496 wrote to memory of 1100	2496	bf031bd09dab5037a32e95290bef27d0.exe	28
PID 1100 wrote to memory of 2760	1100	WScript.exe	29
PID 1100 wrote to memory of 2760	1100	WScript.exe	29
PID 1100 wrote to memory of 2760	1100	WScript.exe	29
PID 1100 wrote to memory of 2760	1100	WScript.exe	29
PID 2760 wrote to memory of 1940	2760	cmd.exe	31
PID 2760 wrote to memory of 1940	2760	cmd.exe	31
PID 2760 wrote to memory of 1940	2760	cmd.exe	31
PID 2760 wrote to memory of 1940	2760	cmd.exe	31
PID 2760 wrote to memory of 2452	2760	cmd.exe	32
PID 2760 wrote to memory of 2452	2760	cmd.exe	32
PID 2760 wrote to memory of 2452	2760	cmd.exe	32
PID 2760 wrote to memory of 2452	2760	cmd.exe	32
PID 2452 wrote to memory of 2744	2452	serverwebSavesmonitorDhcp.exe	33
PID 2452 wrote to memory of 2744	2452	serverwebSavesmonitorDhcp.exe	33
PID 2452 wrote to memory of 2744	2452	serverwebSavesmonitorDhcp.exe	33
PID 2744 wrote to memory of 2592	2744	cmd.exe	35
PID 2744 wrote to memory of 2592	2744	cmd.exe	35
PID 2744 wrote to memory of 2592	2744	cmd.exe	35
PID 2744 wrote to memory of 2608	2744	cmd.exe	36
PID 2744 wrote to memory of 2608	2744	cmd.exe	36
PID 2744 wrote to memory of 2608	2744	cmd.exe	36
PID 2744 wrote to memory of 1956	2744	cmd.exe	38
PID 2744 wrote to memory of 1956	2744	cmd.exe	38
PID 2744 wrote to memory of 1956	2744	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\bf031bd09dab5037a32e95290bef27d0.exe
"C:\Users\Admin\AppData\Local\Temp\bf031bd09dab5037a32e95290bef27d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgecomponentInto\VISX24Ttz4fn76YDhLu.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgecomponentInto\1XBUud7wOwJEnPKdv7OLqMh9OwPwPqe6NavUixtdvXSB.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1940
  - - C:\BridgecomponentInto\serverwebSavesmonitorDhcp.exe
      "C:\BridgecomponentInto/serverwebSavesmonitorDhcp.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n99KKqqAe1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2592
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2608
      - C:\Windows\Media\Heritage\wininit.exe
        
        "C:\Windows\Media\Heritage\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgecomponentInto\1XBUud7wOwJEnPKdv7OLqMh9OwPwPqe6NavUixtdvXSB.bat

Filesize
208B

MD5
d86f6b4ad59eef157c798372c96a09a1

SHA1
3cdff66bc162011a28b07da5e85d3afd0338121a

SHA256
882ac2f4d6d08743a7c5b40b1ba75070542fe4c3fa6c3c7c2cb688b8d4bc937f

SHA512
7912afaafad508e37f1a1ef34c193a4c2a30e7fe3e73d9c91cf2a5068f7a01339afa4bdf262c01338e12719105f96bb9f16a96a8015ec55126196c3cde1aa9e4

Download Submit
C:\BridgecomponentInto\VISX24Ttz4fn76YDhLu.vbe

Filesize
241B

MD5
495e1bcdad7192ab54c4d8f64fe732b8

SHA1
e053e2ccd31dfa9a5261eb9d8e7c9580050d79ec

SHA256
e65c9860d5c6a0ce6fca76c34fb69ac56f827c767014b4b0471c161bbce61973

SHA512
8a17bb083c17f8bb92800a45e1d8fbdccd1d3191914970a8db60227c71e07e6bc493d9f2da945467422093e3750fa2f99f210cfbd8b7a2e0dba86feb967791ea

Download Submit
C:\BridgecomponentInto\serverwebSavesmonitorDhcp.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\BridgecomponentInto\serverwebSavesmonitorDhcp.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\n99KKqqAe1.bat

Filesize
165B

MD5
126286ac3e33c2e4e2fa220537fbb793

SHA1
066057bd2e1f3b5e87420c5b7d6a64cea958548f

SHA256
7741184a10618b3c229375fdb49896521e6e21d6bce45c758b6d52c7cce59fd6

SHA512
6b1883b6be30513d257bbf7a255a68d8d3c0556c1c1a7a860df90022cab5ec4ec61a1b2ef26fd2e0fcd2f1a905739ad3d1b1cae88ad591eb441f2629fcb7184f

Download Submit
C:\Windows\Media\Heritage\wininit.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Windows\Media\Heritage\wininit.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Windows\Media\Heritage\wininit.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
\BridgecomponentInto\serverwebSavesmonitorDhcp.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
\BridgecomponentInto\serverwebSavesmonitorDhcp.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
memory/1956-68-0x0000000076E10000-0x0000000076E11000-memory.dmp

Filesize
4KB

Download
memory/1956-57-0x0000000076E60000-0x0000000076E61000-memory.dmp

Filesize
4KB

Download
memory/1956-70-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/1956-64-0x0000000076E30000-0x0000000076E31000-memory.dmp

Filesize
4KB

Download
memory/1956-67-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/1956-66-0x0000000076E20000-0x0000000076E21000-memory.dmp

Filesize
4KB

Download
memory/1956-60-0x0000000076E50000-0x0000000076E51000-memory.dmp

Filesize
4KB

Download
memory/1956-69-0x000007FEF4C70000-0x000007FEF565C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-56-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/1956-54-0x0000000000AD0000-0x0000000000BAA000-memory.dmp

Filesize
872KB

Download
memory/1956-55-0x000007FEF4C70000-0x000007FEF565C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-71-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/1956-93-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/1956-94-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/2452-18-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2452-50-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-32-0x0000000076E10000-0x0000000076E11000-memory.dmp

Filesize
4KB

Download
memory/2452-34-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2452-31-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2452-30-0x0000000076E20000-0x0000000076E21000-memory.dmp

Filesize
4KB

Download
memory/2452-29-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2452-27-0x0000000076E30000-0x0000000076E31000-memory.dmp

Filesize
4KB

Download
memory/2452-26-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/2452-24-0x0000000000650000-0x0000000000668000-memory.dmp

Filesize
96KB

Download
memory/2452-22-0x0000000076E40000-0x0000000076E41000-memory.dmp

Filesize
4KB

Download
memory/2452-21-0x0000000076E50000-0x0000000076E51000-memory.dmp

Filesize
4KB

Download
memory/2452-20-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/2452-16-0x0000000076E60000-0x0000000076E61000-memory.dmp

Filesize
4KB

Download
memory/2452-15-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2452-14-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-13-0x0000000000960000-0x0000000000A3A000-memory.dmp

Filesize
872KB

Download