20bbaf13e185eb137ea4c4b11c0a71d8734dcd10d72d0f28ee9cbf6ec13a7169

Analysis

max time kernel
182s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03242cdf256688f93b376e46118fd35f.exe
Size

580KB
MD5

03242cdf256688f93b376e46118fd35f
SHA1

4fe8f2610a1859ce905f4a74c237ec7b41c20d40
SHA256

20bbaf13e185eb137ea4c4b11c0a71d8734dcd10d72d0f28ee9cbf6ec13a7169
SHA512

521a176f55b189e58fd1214d53b987cf08973bc725c6e3db29b068e5e4dcde9ce7d450972e33dbed3ba0845efde297e08551e7926e7269b3d43e611812eebdf9
SSDEEP

12288:7nrF16z19Ty8VEbCyf4k0fnUl5zqKNPNW/z3USw+oxhiJ3vIpUTjnQP:PFcW8VEWyWKfOTzihihbA

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03242cdf256688f93b376e46118fd35f.exe	03242cdf256688f93b376e46118fd35f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\03242cdf256688f93b376e46118fd35f.exe	03242cdf256688f93b376e46118fd35f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2192	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe
4420	03242cdf256688f93b376e46118fd35f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	03242cdf256688f93b376e46118fd35f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 984	4420	03242cdf256688f93b376e46118fd35f.exe	92
PID 4420 wrote to memory of 984	4420	03242cdf256688f93b376e46118fd35f.exe	92
PID 4420 wrote to memory of 984	4420	03242cdf256688f93b376e46118fd35f.exe	92
PID 984 wrote to memory of 3852	984	csc.exe	97
PID 984 wrote to memory of 3852	984	csc.exe	97
PID 984 wrote to memory of 3852	984	csc.exe	97
PID 4420 wrote to memory of 2948	4420	03242cdf256688f93b376e46118fd35f.exe	99
PID 4420 wrote to memory of 2948	4420	03242cdf256688f93b376e46118fd35f.exe	99
PID 4420 wrote to memory of 2948	4420	03242cdf256688f93b376e46118fd35f.exe	99
PID 2948 wrote to memory of 1252	2948	csc.exe	101
PID 2948 wrote to memory of 1252	2948	csc.exe	101
PID 2948 wrote to memory of 1252	2948	csc.exe	101
PID 4420 wrote to memory of 3644	4420	03242cdf256688f93b376e46118fd35f.exe	106
PID 4420 wrote to memory of 3644	4420	03242cdf256688f93b376e46118fd35f.exe	106
PID 4420 wrote to memory of 3644	4420	03242cdf256688f93b376e46118fd35f.exe	106
PID 3644 wrote to memory of 2192	3644	cmd.exe	108
PID 3644 wrote to memory of 2192	3644	cmd.exe	108
PID 3644 wrote to memory of 2192	3644	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\03242cdf256688f93b376e46118fd35f.exe
"C:\Users\Admin\AppData\Local\Temp\03242cdf256688f93b376e46118fd35f.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gz6pbq2e.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1312.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1311.tmp"
    3⤵
    PID:3852
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gz6pbq2e.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2179.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2178.tmp"
    3⤵
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1312.tmp

Filesize
1KB

MD5
fe157616a4e443c938ec55d80cbc0252

SHA1
fa8d4707f98ea7ad47eafba9359305f4ce66d760

SHA256
a22364b93cc6a71b37931f0e0b4fdd72d9040e8a84afb9eb2788d60484a94402

SHA512
a7803e61fc73662550ae785b00c45facbb562a66466dfa29fe4fbea078a5dd6809f2fb323f075f69cca27dc9e05d58fdadae58275e8b5752e25b6e73334aebe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2179.tmp

Filesize
1KB

MD5
6661818788bab58401bf6ba1256b2fff

SHA1
b776cecc8b8373a15ea6964e1bda9cbb93a0fc82

SHA256
2ccc001f7b48a636c49043d5c1b0fb468ca58876ca8a3c3ea9c1edb63820a2a1

SHA512
f6e68be18775f721f92c1acb66a2ccbe1c4a796b27cf6c57734d007cbb7c7e9dc5a1e41df3464d73b70e44b000a20f2bf98a64c304f78dafce531e8573fc7218

Download Submit
C:\Users\Admin\AppData\Local\Temp\gz6pbq2e.dll

Filesize
4KB

MD5
4e72a8ba5e53fe1fdd3cbfe8a6996de8

SHA1
35ff262c458fa57717b0a9968f4bfcfcdb0095f1

SHA256
112d99f89b7f1c771d7f613352101479338bc8ad5958f77a61163af275361468

SHA512
4015d34805a779f18f18cba2bd22fbdbc7c3e6a4eecf2496a6a0e1da736f4039ab6df5bdf2932abebedaaa4afb6a9e5fe87b731fb4d07d7e3979141bf032d7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gz6pbq2e.dll

Filesize
3KB

MD5
9e61d169495ed5a874c7edfe9bb3ae09

SHA1
7257e2435621a6b634e5e7db33abf5c04112e619

SHA256
d766c3d86999568fa6389753ec65d7bf5316675d0feb2edc7e6c2787da639ab9

SHA512
ea8ef1375196b5b326bbf9c0327c52ebd583d63891ab6041cf9a49add05f97cab98bdfb4464384dd82b42881fe753d7e489a7dd74eb6d5f8c2930866cc35498a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1311.tmp

Filesize
652B

MD5
7ccc7769bb253575a0e482a1bcc34924

SHA1
ad71c7860ded07799897d9d1f30c9584dcdf8172

SHA256
052a3ceb01123dbf6f88dfa8ff41d119e48524b7e62ccb59e62cf1889be1c3e6

SHA512
c1bf49156d17cd5b06874f0310314ccf0eaf61c9db74e1743f511c8e1b6470a91a7586ecbe1da46b52f2bcc60ed815d9265eb10eb8bd2c13e675e5b9a2534c68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gz6pbq2e.0.cs

Filesize
1KB

MD5
81c0498ec0a96008032bcb96f833e7e4

SHA1
1e1719df9dd6762c7804bab56e07b9b4aaf7ca7e

SHA256
4ac2a565d0f022a1160141bc4796568e02d47a3edca6e024538bd33ddd444354

SHA512
65de99007368a07243d0b4a353ec91525b1866f84852ea676a592e61da1c479f18888692da4dd0348b1437f240a97d23139408f2e6e5197456d20668ba4117b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gz6pbq2e.0.cs

Filesize
571B

MD5
ffbf968e7e7ddb392daa00f9ff61f4eb

SHA1
569a6f2b38fb6971c766b39d21f74aee2e3d2765

SHA256
e6085f3cf5b1b4b91c4cb1efd863a115920283a566d9484e9288829b40119d69

SHA512
9438c30d52a01b4923daee6733547db95bc933338358959c40658abf5a5dcd394e890eb2ad5ff07d1c5f4d33596c6d5bf1e0b6f76a274c50cd5a5bdf920b2340

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gz6pbq2e.cmdline

Filesize
187B

MD5
1dca745822d7c814ca13e228bde61655

SHA1
44c7f2a6c77d8f4f89b5ad39d2086aaff5bce092

SHA256
ab01e6837a40a0db4c79961d450cfba5eec3d517a5076834192c8bc0cf4d2d23

SHA512
56a4b54f945f3cf4a02a9b12a6603ff40ba5bc84a4d3c7de1dc483469688e4bba10744ebe73d87e5c0990771744044fbefc4656998e591fca3c312b40822b88f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gz6pbq2e.cmdline

Filesize
203B

MD5
a960e45e4c452c4c3bdc193a5314581b

SHA1
60c673b426eed1fdc769cfe0194ec9af338bb1b3

SHA256
96ac71ee7681bb58d3044e4aeeecb6ba00cfe82559d3fcea9ef30f63f5c45fe9

SHA512
742dfb53f59db7d543890b17d5bfd38f3780b7ecdc0475e2dc4dedd6f65589e9df59a0011df2ffa4acbd528ff43885ebc5445542b81ccd50aaf412907b03063c

Download Submit
memory/984-8-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2948-24-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/4420-21-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4420-9-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4420-0-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4420-2-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4420-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4420-34-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4420-35-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4420-36-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/4420-37-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download