66d07a69540b7a0640d6958b83310c0abb4a600fd809363df564755ce85b89b4

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10f5aedeb419ff0d609774c51ea2cb50.exe
Size

301KB
MD5

10f5aedeb419ff0d609774c51ea2cb50
SHA1

e1652f34ac5f10614a626fc3ddbeb3e85d3b1575
SHA256

66d07a69540b7a0640d6958b83310c0abb4a600fd809363df564755ce85b89b4
SHA512

9b064f6b100c000a759e907918937349d27594556e31d7ed534742e535f66d4555b1d9ea4407348bcc0fedc150f037a8743beed4c3d35ba8f405e21f3f5505d2
SSDEEP

3072:mzW+DiC9iLo+GnH65GWp1icKAArDZz4N9GhbkrNEk1ShsL251ItjUI6yXDgiJ5Yd:hKwLo7cp0yN90QEPRQUI6yEiJIEx5t

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1056	feegg.exe

Loads dropped DLL 3 IoCs

pid	Process
1768	10f5aedeb419ff0d609774c51ea2cb50.exe
1768	10f5aedeb419ff0d609774c51ea2cb50.exe
1056	feegg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	10f5aedeb419ff0d609774c51ea2cb50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SearchFilterHost = "cmd /c \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\feegg.exe\" --zxcv"	feegg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2332	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2912	taskkill.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe
1056	feegg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	feegg.exe
Token: SeDebugPrivilege	2912	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1056	1768	10f5aedeb419ff0d609774c51ea2cb50.exe	28
PID 1768 wrote to memory of 1056	1768	10f5aedeb419ff0d609774c51ea2cb50.exe	28
PID 1768 wrote to memory of 1056	1768	10f5aedeb419ff0d609774c51ea2cb50.exe	28
PID 1768 wrote to memory of 1056	1768	10f5aedeb419ff0d609774c51ea2cb50.exe	28
PID 1768 wrote to memory of 1056	1768	10f5aedeb419ff0d609774c51ea2cb50.exe	28
PID 1768 wrote to memory of 1056	1768	10f5aedeb419ff0d609774c51ea2cb50.exe	28
PID 1768 wrote to memory of 1056	1768	10f5aedeb419ff0d609774c51ea2cb50.exe	28
PID 1056 wrote to memory of 2712	1056	feegg.exe	29
PID 1056 wrote to memory of 2712	1056	feegg.exe	29
PID 1056 wrote to memory of 2712	1056	feegg.exe	29
PID 1056 wrote to memory of 2712	1056	feegg.exe	29
PID 1056 wrote to memory of 2712	1056	feegg.exe	29
PID 1056 wrote to memory of 2712	1056	feegg.exe	29
PID 1056 wrote to memory of 2712	1056	feegg.exe	29
PID 1056 wrote to memory of 2596	1056	feegg.exe	33
PID 1056 wrote to memory of 2596	1056	feegg.exe	33
PID 1056 wrote to memory of 2596	1056	feegg.exe	33
PID 1056 wrote to memory of 2596	1056	feegg.exe	33
PID 1056 wrote to memory of 2596	1056	feegg.exe	33
PID 1056 wrote to memory of 2596	1056	feegg.exe	33
PID 1056 wrote to memory of 2596	1056	feegg.exe	33
PID 1056 wrote to memory of 2604	1056	feegg.exe	50
PID 1056 wrote to memory of 2604	1056	feegg.exe	50
PID 1056 wrote to memory of 2604	1056	feegg.exe	50
PID 1056 wrote to memory of 2604	1056	feegg.exe	50
PID 1056 wrote to memory of 2604	1056	feegg.exe	50
PID 1056 wrote to memory of 2604	1056	feegg.exe	50
PID 1056 wrote to memory of 2604	1056	feegg.exe	50
PID 1056 wrote to memory of 2636	1056	feegg.exe	47
PID 1056 wrote to memory of 2636	1056	feegg.exe	47
PID 1056 wrote to memory of 2636	1056	feegg.exe	47
PID 1056 wrote to memory of 2636	1056	feegg.exe	47
PID 1056 wrote to memory of 2636	1056	feegg.exe	47
PID 1056 wrote to memory of 2636	1056	feegg.exe	47
PID 1056 wrote to memory of 2636	1056	feegg.exe	47
PID 1056 wrote to memory of 2752	1056	feegg.exe	46
PID 1056 wrote to memory of 2752	1056	feegg.exe	46
PID 1056 wrote to memory of 2752	1056	feegg.exe	46
PID 1056 wrote to memory of 2752	1056	feegg.exe	46
PID 1056 wrote to memory of 2752	1056	feegg.exe	46
PID 1056 wrote to memory of 2752	1056	feegg.exe	46
PID 1056 wrote to memory of 2752	1056	feegg.exe	46
PID 1056 wrote to memory of 2332	1056	feegg.exe	44
PID 1056 wrote to memory of 2332	1056	feegg.exe	44
PID 1056 wrote to memory of 2332	1056	feegg.exe	44
PID 1056 wrote to memory of 2332	1056	feegg.exe	44
PID 1056 wrote to memory of 2332	1056	feegg.exe	44
PID 1056 wrote to memory of 2332	1056	feegg.exe	44
PID 1056 wrote to memory of 2332	1056	feegg.exe	44
PID 1056 wrote to memory of 2912	1056	feegg.exe	36
PID 1056 wrote to memory of 2912	1056	feegg.exe	36
PID 1056 wrote to memory of 2912	1056	feegg.exe	36
PID 1056 wrote to memory of 2912	1056	feegg.exe	36
PID 1056 wrote to memory of 2912	1056	feegg.exe	36
PID 1056 wrote to memory of 2912	1056	feegg.exe	36
PID 1056 wrote to memory of 2912	1056	feegg.exe	36
PID 2752 wrote to memory of 2940	2752	CMD.exe	42
PID 2752 wrote to memory of 2940	2752	CMD.exe	42
PID 2752 wrote to memory of 2940	2752	CMD.exe	42
PID 2752 wrote to memory of 2940	2752	CMD.exe	42
PID 2752 wrote to memory of 2940	2752	CMD.exe	42
PID 2752 wrote to memory of 2940	2752	CMD.exe	42
PID 2752 wrote to memory of 2940	2752	CMD.exe	42
PID 1056 wrote to memory of 2624	1056	feegg.exe	41

C:\Users\Admin\AppData\Local\Temp\10f5aedeb419ff0d609774c51ea2cb50.exe
"C:\Users\Admin\AppData\Local\Temp\10f5aedeb419ff0d609774c51ea2cb50.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C RD %TEMP% /S/Q & MKDIR %TEMP%
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
    3⤵
    - Adds Run key to start application
    PID:2596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msiexec.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" CMD /C DEL /F /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.* "
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\sc.exe
    sc delete syshost32
    3⤵
    - Launches sc.exe
    PID:2332
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C %WINDIR%\sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
    3⤵
    - Adds Run key to start application
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2056

C:\Windows\system32\reg.exe
C:\Windows\sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
1⤵
- Adds Run key to start application
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe

Filesize
898KB

MD5
4e851b7301a77b1707d69c8f14f92472

SHA1
f46c330e0a5c09f2dbc0dcee09f3991c053d90c2

SHA256
7839d9610426e57732f3c8aaee2c410e56bba0a2035dd6dff6ba51ee45375d1c

SHA512
971a7334ae10db3b23fd31f17edec1a78f78d2cfc0306a49362a4fdce8ea95efd8faf9151d8c761f29f68243a61b2cc4040716fb14d29d9f0ea2094d17dbb7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe

Filesize
856KB

MD5
1c220014c331fb8c88212c4e9305c0b3

SHA1
a827a6f9ad3469d1a40405544b684addffa0d87e

SHA256
a12c12830b6b39acb45b224d56de635894eb7c36b611bfffaaf97ffeda50ae76

SHA512
47eab4ef063e81208245979de3bbf01a1a78f202d9b482b095842e2cf2f748c55ec0536f315cf50994a633ade2d89376ffaf530298a3cf8c832df09e5c3a9192

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe

Filesize
903KB

MD5
3673e3b785a2277845b3ddf8223d2741

SHA1
58546a276f5ba620f41cc2edd4d3bb7e89c270bb

SHA256
998855d1faf0a37321f7825ecae2d4d7e459db320319c720b98829b40aafcf3b

SHA512
b6618d894113e6663c6e212cadbbe29079b7162d570339b53b71596f7a1a446d292091ab3580996aa6ad0da9a2a9d5c9b9c06094f61551d2451665182f36f1ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe

Filesize
741KB

MD5
ba3027ab6cda046fe8d9b76373303305

SHA1
25587ff21d5dcc3065a83f88c1aa204de151ce5b

SHA256
5430504ccce3e7836918e6cfed21b07232c3f335a67a6ad3e878dcb6a41014ac

SHA512
0cd2a73b09766a8c547bbf98612cc62d996b569240d5192c4884eceed8b6a80880209379c4ca7e3b9804e9ad1ae444c04afa343179ce68ba688a54e62937405a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe

Filesize
2.0MB

MD5
608192937a544c025f7dfff08ab99b0f

SHA1
3049c2e217e8ce181dd11a0fcaf45c55673284fe

SHA256
913b46c1366ae2e5ad78782e9bf20481c0ae73c04a1076057aba4756d3843ad3

SHA512
c653adc963e211f5576ab0bbfa55b1d3687cc392d8164b5ed2b6c83f6af955cdb9a61cf213c6fc626c7c5bc83897870e2fdc823697ce2cea7e204053449b1db6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\feegg.exe

Filesize
1.4MB

MD5
69ce461d630557ba7f822781171f6787

SHA1
6cf777a8120cce24effe848e977191e6525548f7

SHA256
ab9ab5554922c5bed545a2fd63a4d52995090476c97993f685a4cbd85f113fba

SHA512
08991f53f657eefdc56f7d155024c1dfc053c7f06c682309020a71d2d065878ffb347aa897f408c939cb8567fb6467ba3283d5561809d67aca58c3bc74cfa294

Download Submit