Overview

overview

10

Static

static

3

07053ea86d...b9.exe

windows7-x64

10

07053ea86d...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 23:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    07053ea86dd370d8e7c1e935a96af3b9.exe

  • Size

    173KB

  • MD5

    07053ea86dd370d8e7c1e935a96af3b9

  • SHA1

    102ae2b6fe49621aaa4580921367dec4a9c446dd

  • SHA256

    6129c6cdfa86b869afbdad5062d6a6c0dd7c1b090c804e328b63b9eb9aea957b

  • SHA512

    1974cf3c9da338a24fcae5526d49f9267cebc54e0756eafdbd358c55374bca6fc0cc109909c7ef3af42807c624c5cba2f8d23f4f86f6a3e81bbd4a9fca9e5306

  • SSDEEP

    3072:7T62yBAnxZpjuXrwuDP0yuDaZiH95wtDsSlNfgZ6QdpsQJXvwJiRF9m:34CZpOk+P0haZYEZl2Z6QnJ/qiRF

Score
10/10
evasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe
    "C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe
      C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe startC:\Users\Admin\AppData\Roaming\68270\130FB.exe%C:\Users\Admin\AppData\Roaming\68270
      2⤵
        PID:4844
      • C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe
        C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe startC:\Program Files (x86)\70F4B\lvvm.exe%C:\Program Files (x86)\70F4B
        2⤵
          PID:2308
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1884
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1440
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4436
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4804
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2096
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1636
      • C:\Windows\system32\werfault.exe
        werfault.exe /hc /shared Global\a3fc2615d22d44c7b17f2f3d135081e0 /t 1608 /p 3812
        1⤵
          PID:1352
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4132
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of SendNotifyMessage
          PID:4464
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3340

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                Filesize

                471B

                MD5

                a760fb773b23d783f07e77de846bde96

                SHA1

                35f4a0c1ba33dee757f2b028fb313c3019b699fd

                SHA256

                e07532c862bf12834627535fe4304cbf9d977e22968dea7b99fa5bd9a733c290

                SHA512

                d8bf7846b453924fcaec8e153a7a3ea633e64c3aa695169ebfa944e48f4a8e0ddd8703d48ce988ba360d826e72006576cd822bc0b3ecf496d47649532ccc501e

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                Filesize

                412B

                MD5

                970931530f24111ed01af81a4d727a37

                SHA1

                8e29dfa9c7952070d81e71d3baccb0a6a8d9e962

                SHA256

                05c9c54f850170f63b0740361d5e982c0189e0071ae0c94791c1b46561eeaa0e

                SHA512

                a973a811b9501f12b9fb9b8b2c7ce1eb7987b72c677eb61c8021c59b208a5120980e85738fbb187086b01f6c91e97370d51c21eb43804f868b5e86767eba28df

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133484266618065687.txt
                Filesize

                74KB

                MD5

                c09e63e4b960a163934b3c29f3bd2cc9

                SHA1

                d3a43b35c14ae2e353a1a15c518ab2595f6a0399

                SHA256

                308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

                SHA512

                5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\68270\0F4B.827
                Filesize

                1KB

                MD5

                dfa054f67f0e9c13b4d33e9d14566d40

                SHA1

                267f153816e5fa208d28357ca013f57ee40433eb

                SHA256

                dc7cbe698aab9dd813a94ed2195b80969b90af369467149fa31914d4eabddc14

                SHA512

                826e08cfad4212d0b94b544bab68ab52b30658f4ab701173a936cda3d340d298ae9ac6b742cfe68a7dcdeb94cb9ebddf24a4785260f9003c6deacfe971b939c3

                Download Submit

              • C:\Users\Admin\AppData\Roaming\68270\0F4B.827
                Filesize

                1KB

                MD5

                8aa13e191025bbe8c7e08339d96a0f49

                SHA1

                d9494e63e8b66dbed58484751a50827462329dd3

                SHA256

                d41a934783b7f81349332b5eec18fe3252bc4fdd1ee7c749024f1707b500b4cc

                SHA512

                4d6ab9b1de6e08e45b5c6741112cd7e63e949532e0aae4577bb81bbf858402d3d38811d302c7635b99485ec765eb704a8228dcdd544bdf74e279f5cdab96bf37

                Download Submit

              • C:\Users\Admin\AppData\Roaming\68270\0F4B.827
                Filesize

                300B

                MD5

                1a811b11827863444d1682133007b918

                SHA1

                b86aa4eea9b2826e9065e121ba4700651178f6c5

                SHA256

                a845229599785126b2a1514c21e280bb2ec80d9a1f4d59d8a3250bdd859bd34a

                SHA512

                147232bd58b9c485019157a5fef60c111073f61a3842ad8a1077feb9b5c884254243d183d3fee0b59a8a75b048bdeda244e5f08288a4ea1a6c3e6bedbb227e7a

                Download Submit

              • memory/1636-225-0x0000000004670000-0x0000000004671000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2308-97-0x0000000000500000-0x0000000000600000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2308-96-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2308-98-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-11-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-223-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-1-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-2-0x0000000000530000-0x0000000000630000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2456-3-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-132-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-19-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-7-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2456-5-0x0000000000530000-0x0000000000630000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4436-231-0x0000024E07C10000-0x0000024E07C30000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4436-232-0x0000024E07BD0000-0x0000024E07BF0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4436-235-0x0000024E07FF0000-0x0000024E08010000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4844-17-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download

              • memory/4844-18-0x00000000006D0000-0x00000000007D0000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4844-20-0x0000000000400000-0x0000000000452000-memory.dmp

                Filesize

                328KB

                Download