Analysis
-
max time kernel
154s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 04:09
Static task
static1
Behavioral task
behavioral1
Sample
c7f577cefa301fea0c4819768680b4750bdc67a55e04a766a6d94a190bb9e9e1.exe
Resource
win7-20231215-en
General
-
Target
c7f577cefa301fea0c4819768680b4750bdc67a55e04a766a6d94a190bb9e9e1.exe
-
Size
1.4MB
-
MD5
6b388b92a6129fde94255cfd203da7a3
-
SHA1
e59b69bfceff5ce28cc6f434f89c735f34c10d82
-
SHA256
c7f577cefa301fea0c4819768680b4750bdc67a55e04a766a6d94a190bb9e9e1
-
SHA512
fb5434593ce021dbb800c0fa380297b0da6ceff690590721eb47d5021b08334b20e2ddad244a5e522d9007b1ba6371e6e085719c8046c6ac507b8aa8b8bf305a
-
SSDEEP
12288:OO9B+VY8quMPLjg4YqLgvB6dMSJ3oecwJE97O8k4QrsdJW3kFk9huIFYPSbwL:OO9BeqtL+SgvqFE1d3ddJW3CAqPSbwL
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2424 alg.exe 4396 elevation_service.exe 1240 elevation_service.exe 4828 maintenanceservice.exe 8 OSE.EXE 2948 DiagnosticsHub.StandardCollector.Service.exe 1280 fxssvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9d4dfeece04146c8.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe c7f577cefa301fea0c4819768680b4750bdc67a55e04a766a6d94a190bb9e9e1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108421\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{BB3A5AB2-72E6-4A67-A376-A20E324C372C}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1436 c7f577cefa301fea0c4819768680b4750bdc67a55e04a766a6d94a190bb9e9e1.exe Token: SeDebugPrivilege 2424 alg.exe Token: SeDebugPrivilege 2424 alg.exe Token: SeDebugPrivilege 2424 alg.exe Token: SeTakeOwnershipPrivilege 4396 elevation_service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7f577cefa301fea0c4819768680b4750bdc67a55e04a766a6d94a190bb9e9e1.exe"C:\Users\Admin\AppData\Local\Temp\c7f577cefa301fea0c4819768680b4750bdc67a55e04a766a6d94a190bb9e9e1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1240
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4828
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3472
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
PID:1280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD53405c37b355a0ba15449c7791dfc784f
SHA1d2aaae1544064ee9424b07e208a8dda21af52d2e
SHA25666c289893da854e8f4bb8483b9ace80123afa049040b49b3df320af50410f807
SHA512bb3d7fcb083e5b6318b9310cc8a45fae5cbf5aaf6aafb5f93e96a002171f69f9efd38ce5b1206fd00f3d58c2bdc0fd77a62997c1ffb27a9cbe3b95057ac6ec8c
-
Filesize
349KB
MD541596657267252ef7898697a126d7259
SHA11d98007620a0203537f2b3e401d9d86905e8f7a2
SHA256584ea35bf1cb9172eb3272ec165be3a98fdd8ab967b856d3eba357f68829d3e5
SHA51245711917653061a98427ff0a4e3e7576e53be7551c70121b1750c4a51d728a72fe51ca41dd1604b6575dacd79bad6c4299fa314a03d55add47e215c70e829c90
-
Filesize
227KB
MD506edc091a85d1f0bc8a933da7478346c
SHA185229bf3cf54a64d1b8d7a14f0ae3cc8d0c0edd8
SHA256d363f2f252c20ff9ead1951523e1edd7a0a2c9ab1cb342d6e88ceb1bb5c55980
SHA51201295e5c9932b40e6f7d6af1de2aaa6fb27ee03891a5fd474ca7e5c8dc06fee5262d102417271fb508c56087ff4d020df776fdab2e4c35ae2bdea0a8f823b121
-
Filesize
483KB
MD5f2c9ea06b69b0e617af5d27badaa478a
SHA114a5b5760756cc87fb56b393dbd7308bc7adc95c
SHA2569490032011849625adf99bdb5eb57ff1ce247d5e851738ea8b13f0d7041770d7
SHA51244e3a6f1807114f0af10d4d91f3d62d230ce4100b978a558c4b3408dd2722f42923a001c306e1c00dc81f9488e509024fc2ca946de0c3ed53cc1e667b2529a18
-
Filesize
1.2MB
MD58740a21fe36950e3b64219fcdf9b5be1
SHA1aaf639a13824a20e2c00aea438c99957e8cf0f16
SHA2569f895ce4557ad2431c4ee150d603c7f5be3af92289b4d36f4e606e25e2999f6e
SHA512f928177aff1afe741b37ceb72d7af69b72b19e9c8d408a7a54ddcf93b42692da72d6e879afb4201f925d08d26ae65ccca5d857376aa0a690fb8085a6a864b7bb
-
Filesize
1.2MB
MD50d166ac796500824ea7ccd245487fd8b
SHA115eaefcb400c4bed68e8b4b1d4aa6bd2f8b48b41
SHA256410d977aa7a1d8f444f6b37abb56919084ab63fba84b8ab2816b64af9a274006
SHA5121d79cbac0de8c270cd7f4c51bcf27bd00880bdbefebe63add95e809627790d8998cb5f0d1cbf5808c023279afb35a21610d1d8ec7e66d72dcffff5ffba9a755f
-
Filesize
926KB
MD52637876ca415edfdf1d4d834b91b47b2
SHA13d88f2e9df22e938b7891af61a074f9571da1d9a
SHA256e732b12bfe6063e779990b390d25d9dfc7ce7ce82d3d16e10e1a3fd3500bd090
SHA512b9368e949043d22668cd3245c8404f672217de48ee4b84c734d45cbdbd56105fa7dbd8aae804ab1a948cecaeb1365cbe270e2228f10cc24b1264b946a79b0baa