00ad93f82013b54f470279f04b06705e99abf53b4de0a6d763d6063406bb8d64

Analysis

max time kernel
142s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37a69c99ac0916b33292b1cce15bf8c9.exe
Size

677KB
MD5

37a69c99ac0916b33292b1cce15bf8c9
SHA1

1a9733ff27409f1068690dda6dc558912b4723d8
SHA256

00ad93f82013b54f470279f04b06705e99abf53b4de0a6d763d6063406bb8d64
SHA512

dad516d40ed656f786f29e4e145750e59e7643858130195365b4c4a47c0010ca56174349e3fad083d60477aa93c3b6c7dfa7cfa54bbbbfc6bb52402e5d43e896
SSDEEP

12288:vT2bUQuLSiZbbSoCU5qJSr1eWPUntBB0sP0MugCAjHUzTshJ:vT2bUjSi1SoCU5qJSr1eWPSCsP0MugC0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1300	37a69c99ac0916b33292b1cce15bf8c9.usa
1224	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2456	37a69c99ac0916b33292b1cce15bf8c9.exe
2456	37a69c99ac0916b33292b1cce15bf8c9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\UsaShohdi.asu	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	C:\Windows\SysWOW64\UsaShohdi.asu	37a69c99ac0916b33292b1cce15bf8c9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Google\Chrome\Application\chrome.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Java\jre7\bin\jp2launcher.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SETLANG.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Java\jre7\bin\javaw.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaw.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Microsoft Games\Hearts\Hearts.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\Solitaire.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaws.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\chrome_proxy.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Minesweeper\MineSweeper.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\uninstall\helper.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.usa	37a69c99ac0916b33292b1cce15bf8c9.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	37a69c99ac0916b33292b1cce15bf8c9.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.usa	37a69c99ac0916b33292b1cce15bf8c9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1300	2456	37a69c99ac0916b33292b1cce15bf8c9.exe	28
PID 2456 wrote to memory of 1300	2456	37a69c99ac0916b33292b1cce15bf8c9.exe	28
PID 2456 wrote to memory of 1300	2456	37a69c99ac0916b33292b1cce15bf8c9.exe	28
PID 2456 wrote to memory of 1300	2456	37a69c99ac0916b33292b1cce15bf8c9.exe	28

C:\Users\Admin\AppData\Local\Temp\37a69c99ac0916b33292b1cce15bf8c9.exe
"C:\Users\Admin\AppData\Local\Temp\37a69c99ac0916b33292b1cce15bf8c9.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\37a69c99ac0916b33292b1cce15bf8c9.usa
  C:\Users\Admin\AppData\Local\Temp\37a69c99ac0916b33292b1cce15bf8c9.usa
  2⤵
  - Executes dropped EXE
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.6MB

MD5
736d89252fd83d7eed341ed314e9e343

SHA1
9306d4e40e89ca8882794de19d77559f6fb07ddd

SHA256
eda5ee07b1cb34f9c4464aabd58e30706d1206a894a7707937190db15433cc43

SHA512
92a80c08c7013406e9b4302493522704c2a7e0580af8cd397ebef048c963b30736f80276f42f292bdc7393353e232af064534466c52a5c8f20f45c6672be4a84

Download Submit
C:\Windows\SysWOW64\UsaShohdi.asu

Filesize
677KB

MD5
37a69c99ac0916b33292b1cce15bf8c9

SHA1
1a9733ff27409f1068690dda6dc558912b4723d8

SHA256
00ad93f82013b54f470279f04b06705e99abf53b4de0a6d763d6063406bb8d64

SHA512
dad516d40ed656f786f29e4e145750e59e7643858130195365b4c4a47c0010ca56174349e3fad083d60477aa93c3b6c7dfa7cfa54bbbbfc6bb52402e5d43e896

Download Submit
\Users\Admin\AppData\Local\Temp\37a69c99ac0916b33292b1cce15bf8c9.usa

Filesize
574KB

MD5
6503efe0a01c2d50c97be27f3cb10a43

SHA1
a0cb3708603a18f02352d01ec672020e5bad5073

SHA256
0cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e

SHA512
ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4

Download Submit