8644b5a1ecf282da0e8ad4ff465e7026c26f6d3266f56e71b53e7ea776b03e7f

Analysis

max time kernel
151s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24fff70f83197065cfd011efcb18c471.exe
Size

3.3MB
MD5

24fff70f83197065cfd011efcb18c471
SHA1

aa7b959d9e71455c062c4d1c1d2069706c878e8a
SHA256

8644b5a1ecf282da0e8ad4ff465e7026c26f6d3266f56e71b53e7ea776b03e7f
SHA512

e39326653006966e3c5e274aa56d65cc3fc18ee6cd3f7e60083548f16b8ea9cea3809a925484d5615971f9c69f94e99b4c84176683446304c103a5ecc8a95109
SSDEEP

98304:7RS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/l:7kj8NBFwxpNOuk2w

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2716	pJJ3Hwa5a2416H.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	pJJ3Hwa5a2416H.exe
1276	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1724	24fff70f83197065cfd011efcb18c471.exe
1276	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1876	sc.exe
2340	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	24fff70f83197065cfd011efcb18c471.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe
2716	pJJ3Hwa5a2416H.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	24fff70f83197065cfd011efcb18c471.exe
Token: SeDebugPrivilege	2716	pJJ3Hwa5a2416H.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2716	1724	24fff70f83197065cfd011efcb18c471.exe	28
PID 1724 wrote to memory of 2716	1724	24fff70f83197065cfd011efcb18c471.exe	28
PID 1724 wrote to memory of 2716	1724	24fff70f83197065cfd011efcb18c471.exe	28
PID 2716 wrote to memory of 1396	2716	pJJ3Hwa5a2416H.exe	32
PID 2716 wrote to memory of 1396	2716	pJJ3Hwa5a2416H.exe	32
PID 2716 wrote to memory of 1396	2716	pJJ3Hwa5a2416H.exe	32
PID 1396 wrote to memory of 2340	1396	cmd.exe	31
PID 1396 wrote to memory of 2340	1396	cmd.exe	31
PID 1396 wrote to memory of 2340	1396	cmd.exe	31
PID 1396 wrote to memory of 1876	1396	cmd.exe	30
PID 1396 wrote to memory of 1876	1396	cmd.exe	30
PID 1396 wrote to memory of 1876	1396	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\24fff70f83197065cfd011efcb18c471.exe
"C:\Users\Admin\AppData\Local\Temp\24fff70f83197065cfd011efcb18c471.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\pJJ3Hwa5a2416H.exe
  "C:\Users\Admin\AppData\Local\Temp\pJJ3Hwa5a2416H.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXDI0ZmZmNzBmODMxOTcwNjVjZmQwMTFlZmNiMThjNDcxLmV4ZQ==
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396

C:\Windows\system32\sc.exe
sc config "SysMain" start=disabled
1⤵
- Launches sc.exe
PID:1876

C:\Windows\system32\sc.exe
sc stop "SysMain"
1⤵
- Launches sc.exe
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-6-0x0000000000780000-0x0000000000784000-memory.dmp

Filesize
16KB

Download
memory/1724-1-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-2-0x000000001BFF0000-0x000000001C2E0000-memory.dmp

Filesize
2.9MB

Download
memory/1724-3-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/1724-4-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/1724-5-0x000000001CE10000-0x000000001D248000-memory.dmp

Filesize
4.2MB

Download
memory/1724-22-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-7-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1724-8-0x000000001AD90000-0x000000001AE2C000-memory.dmp

Filesize
624KB

Download
memory/1724-9-0x00000000021E0000-0x00000000021E6000-memory.dmp

Filesize
24KB

Download
memory/1724-10-0x00000000022A0000-0x00000000022D2000-memory.dmp

Filesize
200KB

Download
memory/1724-11-0x00000000022D0000-0x00000000022D4000-memory.dmp

Filesize
16KB

Download
memory/1724-0-0x000000013F890000-0x000000013FBB4000-memory.dmp

Filesize
3.1MB

Download
memory/2716-20-0x000000013FA50000-0x000000013FD74000-memory.dmp

Filesize
3.1MB

Download
memory/2716-21-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-23-0x000000001BD10000-0x000000001BD90000-memory.dmp

Filesize
512KB

Download
memory/2716-24-0x000000001AE00000-0x000000001AE72000-memory.dmp

Filesize
456KB

Download
memory/2716-25-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/2716-27-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2716-26-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2716-30-0x000000001BD10000-0x000000001BD90000-memory.dmp

Filesize
512KB

Download
memory/2716-31-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-33-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2716-32-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2716-34-0x000000001BD10000-0x000000001BD90000-memory.dmp

Filesize
512KB

Download