20bbaf13e185eb137ea4c4b11c0a71d8734dcd10d72d0f28ee9cbf6ec13a7169

Analysis

max time kernel
122s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03242cdf256688f93b376e46118fd35f.exe
Size

580KB
MD5

03242cdf256688f93b376e46118fd35f
SHA1

4fe8f2610a1859ce905f4a74c237ec7b41c20d40
SHA256

20bbaf13e185eb137ea4c4b11c0a71d8734dcd10d72d0f28ee9cbf6ec13a7169
SHA512

521a176f55b189e58fd1214d53b987cf08973bc725c6e3db29b068e5e4dcde9ce7d450972e33dbed3ba0845efde297e08551e7926e7269b3d43e611812eebdf9
SSDEEP

12288:7nrF16z19Ty8VEbCyf4k0fnUl5zqKNPNW/z3USw+oxhiJ3vIpUTjnQP:PFcW8VEWyWKfOTzihihbA

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03242cdf256688f93b376e46118fd35f.exe	03242cdf256688f93b376e46118fd35f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03242cdf256688f93b376e46118fd35f.exe	03242cdf256688f93b376e46118fd35f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2084	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe
2180	03242cdf256688f93b376e46118fd35f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	03242cdf256688f93b376e46118fd35f.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2184	2180	03242cdf256688f93b376e46118fd35f.exe	28
PID 2180 wrote to memory of 2184	2180	03242cdf256688f93b376e46118fd35f.exe	28
PID 2180 wrote to memory of 2184	2180	03242cdf256688f93b376e46118fd35f.exe	28
PID 2180 wrote to memory of 2184	2180	03242cdf256688f93b376e46118fd35f.exe	28
PID 2184 wrote to memory of 2324	2184	csc.exe	30
PID 2184 wrote to memory of 2324	2184	csc.exe	30
PID 2184 wrote to memory of 2324	2184	csc.exe	30
PID 2184 wrote to memory of 2324	2184	csc.exe	30
PID 2180 wrote to memory of 2824	2180	03242cdf256688f93b376e46118fd35f.exe	32
PID 2180 wrote to memory of 2824	2180	03242cdf256688f93b376e46118fd35f.exe	32
PID 2180 wrote to memory of 2824	2180	03242cdf256688f93b376e46118fd35f.exe	32
PID 2180 wrote to memory of 2824	2180	03242cdf256688f93b376e46118fd35f.exe	32
PID 2824 wrote to memory of 2720	2824	csc.exe	33
PID 2824 wrote to memory of 2720	2824	csc.exe	33
PID 2824 wrote to memory of 2720	2824	csc.exe	33
PID 2824 wrote to memory of 2720	2824	csc.exe	33
PID 2180 wrote to memory of 2636	2180	03242cdf256688f93b376e46118fd35f.exe	34
PID 2180 wrote to memory of 2636	2180	03242cdf256688f93b376e46118fd35f.exe	34
PID 2180 wrote to memory of 2636	2180	03242cdf256688f93b376e46118fd35f.exe	34
PID 2180 wrote to memory of 2636	2180	03242cdf256688f93b376e46118fd35f.exe	34
PID 2636 wrote to memory of 2084	2636	cmd.exe	36
PID 2636 wrote to memory of 2084	2636	cmd.exe	36
PID 2636 wrote to memory of 2084	2636	cmd.exe	36
PID 2636 wrote to memory of 2084	2636	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\03242cdf256688f93b376e46118fd35f.exe
"C:\Users\Admin\AppData\Local\Temp\03242cdf256688f93b376e46118fd35f.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hescynij.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7428.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7427.tmp"
    3⤵
    PID:2324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hescynij.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7502.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7501.tmp"
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7428.tmp

Filesize
1KB

MD5
9508c40a5ed3ef80f2d5ada9db70c3c5

SHA1
6213112000c6ee4f991fa8d2e205451a74f1eb36

SHA256
60217c63e868089da0578423fb0cd332336c6b146c5b58761110953f6c0ac74e

SHA512
2c754dc8c705c59f340b52f15ca1b767debaade575c5657a255f4f1c35517b518054af3cdacb47015c5b678284e6b024b77117797983b6a250189e8824b0a9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7502.tmp

Filesize
1KB

MD5
7f106d65a7b1aa9dd68a7c675eb8a189

SHA1
e3b701aa0ff647f6cc4c2b9154eb9e1b38a59935

SHA256
9d24fc0261d7adc99d365403be35b56d243dbeb9740ee8efeafda1ee1f3d9e7f

SHA512
85ca53a5d88fe16da6b3659f9659d6d149f94d52a50d1cbe4645c19ca4bdb06265e27220b236b727c41d5b32b321a08c26c66ac84d1f02be3d92988850ee5bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hescynij.dll

Filesize
3KB

MD5
88754d401e03ccaaed83e9329c70979b

SHA1
63e7d6f436f8721fd0f751444b473c4e896b0c69

SHA256
7091aebe81b545c445b5454d824aa4632a3cbea61150f0f5240666de77bca61f

SHA512
fa9bd4aabdfe283e5586c2804ad1362788c9afc255e3d3c46e9522478124f09e5670b43d6e098143b9f88406a0e3c1855b2a34e7dc0744c6e3ae21923125dc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hescynij.dll

Filesize
4KB

MD5
5e1a5c4455f12ee005785aaeae3847b4

SHA1
5062102fcd4e80c6502b65546cccea0f71f5e8bd

SHA256
b0d7f755ef02671b18fd6a831d57a7e32ba55af117f0b57cc573059a889db552

SHA512
42b40cbe027d33888a2b7a1062289d02250de4883068e6fc7da671ddcd6fb67c87c724fb10e5b2be8edb0a03fc6730ded2d1bcf92657396161f8b07e2491ec27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7427.tmp

Filesize
652B

MD5
c37eb28df030f73aa34f8767c22c2fde

SHA1
354bb0777a31876ad862fd8f25a16013c55bb02e

SHA256
089d1b6fabaa606ed4a3659567d292a4fdb49c1f58eab2a023ea6cea1fb51616

SHA512
b2394ec7c7023ea71c3713f2375e2977ef4c38d3f98c8d1508a3d81329ec268348600af7f27ce8ac7a1af373af129aa529ed0cebe676970c063e04efff27995f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hescynij.0.cs

Filesize
571B

MD5
ffbf968e7e7ddb392daa00f9ff61f4eb

SHA1
569a6f2b38fb6971c766b39d21f74aee2e3d2765

SHA256
e6085f3cf5b1b4b91c4cb1efd863a115920283a566d9484e9288829b40119d69

SHA512
9438c30d52a01b4923daee6733547db95bc933338358959c40658abf5a5dcd394e890eb2ad5ff07d1c5f4d33596c6d5bf1e0b6f76a274c50cd5a5bdf920b2340

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hescynij.0.cs

Filesize
1KB

MD5
81c0498ec0a96008032bcb96f833e7e4

SHA1
1e1719df9dd6762c7804bab56e07b9b4aaf7ca7e

SHA256
4ac2a565d0f022a1160141bc4796568e02d47a3edca6e024538bd33ddd444354

SHA512
65de99007368a07243d0b4a353ec91525b1866f84852ea676a592e61da1c479f18888692da4dd0348b1437f240a97d23139408f2e6e5197456d20668ba4117b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hescynij.cmdline

Filesize
187B

MD5
c7f782db1576f945be68628d7edcb519

SHA1
3cad34c9e87264d479df9b7c17e3c07626cb9e22

SHA256
c11c6271a4f5bbc9a09d4b0dbf235a125dc75389b5bdca56cffe4f40c996f5a6

SHA512
08d20894b2c6b538b5763c7752460cb1981044d2df2234a63ab69fa3837b04ae2e0ddf8f98011bbd1c1c547a752a4569f54f5a7db65315ee8ca468459f858349

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hescynij.cmdline

Filesize
203B

MD5
541916c3937780ab831d973f8f3b5c06

SHA1
efccfd87066d522d439b32615559c344b68bd957

SHA256
04e46d15e68e43c59d849da71857991b1bf966d82b5e2c19baa0c431efa1fd79

SHA512
07603581ecdfa6b18dcbbf6fe05c36536341f262d9b6515a07691218ef0f4fedc4f00cb3510b2ef6d6ae4c883968b56c25953845d69ac33d8c0b7ea33fbf4017

Download Submit
memory/2180-38-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2180-37-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2180-0-0x0000000074A10000-0x0000000074FBB000-memory.dmp

Filesize
5.7MB

Download
memory/2180-2-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2180-1-0x0000000074A10000-0x0000000074FBB000-memory.dmp

Filesize
5.7MB

Download
memory/2180-32-0x0000000074A10000-0x0000000074FBB000-memory.dmp

Filesize
5.7MB

Download
memory/2180-33-0x0000000074A10000-0x0000000074FBB000-memory.dmp

Filesize
5.7MB

Download
memory/2180-35-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2180-34-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2180-36-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2184-8-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2824-22-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download