Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
04/01/2024, 01:20
General
-
Target
ea7c5e1d9a28483eb6c085eb936f2f2adad6b0448abedc7266e249fed0d9c179.exe
-
Size
1.3MB
-
MD5
01ad99f08fdb4dd42784eff14471dc97
-
SHA1
523cfcf75dc1f60847fc0a05b4de69257fe864de
-
SHA256
ea7c5e1d9a28483eb6c085eb936f2f2adad6b0448abedc7266e249fed0d9c179
-
SHA512
a52f11602425bc03882c60f680b7f20a1286a8b99642a0f2fbc206559f422cc7404a2bfe78c82634881d558c84ae3028753bb6940786cf8b648dd7fb35d308b7
-
SSDEEP
12288:KE9B+VnGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhs:KE9B7t/sBlDqgZQd6XKtiMJYiPUs
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea7c5e1d9a28483eb6c085eb936f2f2adad6b0448abedc7266e249fed0d9c179.exe"C:\Users\Admin\AppData\Local\Temp\ea7c5e1d9a28483eb6c085eb936f2f2adad6b0448abedc7266e249fed0d9c179.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD510270e9d458407e83a4afa2f620860ac
SHA1c3cab2d713cb54d620427636abcfdab34be1651a
SHA25646b3401a06b52cd3fdf87b3c78e5d9c955ea859b48a7a828e94a1e29a1def692
SHA51292d8798db3de408ee6c4dbf92c8046213d1d6f0f802cc3f918c556dcc8e60418f541bde010916e9823a5da705d1d357d5c35d37e29d0f1b7a1f35e3bc0a63c9a
-
Filesize
1.4MB
MD57ed144125bbaa6410085f895200347c1
SHA1f54df28379fb87c1bb770bd9ff043b28ae3f116d
SHA256baf9ab7192dfe21255cfcfe904f171b8eeea6a4af53ed318eadd0e2748e18ba1
SHA512daeee562bf824f3adb6abb24e4a743e3d3793b531da1a8507cc25b5d7915a7dacd9739c90dac5f05fbe8918779b82db812462f2a622bf2c6a15b78ada1ff22a6
-
Filesize
1.4MB
MD525a2c1b768e41d93f7ec3f257ef8862f
SHA199ec5a4986297539d54183da7cf190eac5ca980b
SHA2568be177e619c71fb0d89928fe1aa067bb2da5307bf2a778eb79ae79cfe5e2e2d9
SHA51226424ea99e93112fb4352a7f3819bd35beeb1e97c86b739023ee7e4f51a9328889354c175548c1e878db775e60861483f1f601c1095251c755ad90d5f868b99e
-
Filesize
2.1MB
MD5dd91ef68df139134b7b856719b11bcc5
SHA1e770ebd2f00e0946e753d7f682f14c1f8e4b76ea
SHA256afed6dc5fbcf3e217ea1e09c9a2224d3c019b55c00e05702591f623c19477a86
SHA5124ff72a27f7f3d382b8396c6877861d7bcd791ebdad5fed8fdd6eaee214969086a4a87d28554ef86ce8322c076b82573f628153c99ae4a417c5abd0bea1aba9fc
-
Filesize
1.2MB
MD5318bd2e62ab654528925993e3c515f76
SHA1c013025e1ba57d90fd4dfe01f4dc56e02fb278de
SHA256fa044d5f84766c3136ef19fee9babfb47cc348a6fe7beadd4cf3e23bbad5b73a
SHA51270166451098e564baf64209bbb7c79fde2674757cad5cf2e10c25844fbd6b133b6fdc76e49aeb22c161723bd859a941ff21c25a0a7a801690459f719969e018f
-
Filesize
1.7MB
MD5c68fe945d7cc0d41bd5ad532b9210a77
SHA1fc61a1469475a59b2e0c9aa3bfd048a0f230e373
SHA2566eaaae692ba3c67cc30166421546b87b9b33fbe43d0e5b340f575c8a2e146123
SHA512c664f1705d117c10f0bf5e2cf874c8f1b7121b0bbb7f1409f79d9ab4a10a7bd100909db8eb43ff45de9ed92a32825838ff30c4bc66f7f1bb65972319db48119c
-
Filesize
1.3MB
MD56326bc66488f90c992daa9c34b436d92
SHA1ef4719f8911a8fbecabdd3ed51826850b2d1df21
SHA256954fce28ed76aec14acf6f0281a3c7aba9d7f48eb5e09cc7fbc68a8e6f00ee0a
SHA512874b5d2ae6dbf989b5a9797569a02c35426d56393245024ff3d73ad49f8f9d0d6e1b4b58d10adb4c2029ccbcbff7476d4f8ae43c4a193514a0c61d6cdc7469f3
-
Filesize
1.2MB
MD5141297cb0272c16f0531addda64de114
SHA102ea6c10f01db6465f0cde310f9dfeebd9299ecd
SHA256f3d7be77960e02d71cf429690b381b382555cb1fba4fb1e1e2b536defc43e6af
SHA512f3c4183cd478154fd6478f56df0879e2da2224acff784934e000f6e96e586d26189c68da81df36e1684b3304ec8975540bc3235dc6ac22e0bcf0c054baab0d47
-
Filesize
1.2MB
MD54103b96ef4aec18af12908e2b701e6b3
SHA1dee40365b3a4d92dfb5fa909120183746464892a
SHA25625573028b7b8dffb5462912829587ff98840022094c1b6d81dfc520eecc3dfe8
SHA51240c7ed1b7491a11bbd25b9b603bbe5a47800dd405456ca585a816038594de8b9179159613ed11003e6d432b5245346b8b8eab30bf004643bbecad8bffe99b7ed
-
Filesize
1.5MB
MD5cd47f7639b3c23bd8eb830352e374ba1
SHA1dfc5bdf69e6a8c3142d1a82274fb6087419ac654
SHA256ac82b9d80ad69758b992c741312aeea0c55c02e48ce4006434c14d1f54e06e57
SHA512a853f34cf43cb6a48163eb408c28e455782d1c746f69a4a5fc2b7e2f00a2c1d71e364de4521ede278f95fdefa6dd69aaf626edc09ea5ea1522ff77b12149d138
-
Filesize
1.3MB
MD5b349d90bce94574a4185434cab578ac2
SHA1b50935205b15c5bff11483cb371e27aebd7e99c4
SHA256e35b9f10adaba35048b172676759fd23e5c1a75e8488508edb41e0c1d46bd263
SHA5121b9a30d0679b0c8f90108de34d28c923c1112129b9e4ba5b56cb52a040a88e92739a0c58d47ad950cbc71661ca7b3d72b370001bf6612f5afa79a1db23b8bbd7
-
Filesize
1.4MB
MD56fce236ad789ad8ac94247847c7d4746
SHA1aedd39767518b4b566a7ece544c107c528be63fb
SHA256890d83b40e4d70e0df5e94fb8274dbc22bc757b149e181ca4ffa466d53d45831
SHA5125f677bafef8f1b0347693c87fb7589b8a207e4fd4478f9faecf2ab157efb2249e6ad1ba6cbcdef53cabee6a0f81dd94ec55eca9e402136b41c201012728462e9
-
Filesize
1.8MB
MD5ec754f329a467a951b991179c12048ff
SHA133e509890fb1e6779d24a8f0ded23495e5a0e0b5
SHA256cb8fdab99e77f2796d17569d4bf2663974867e4fc98d8fe7668393bc4719ef31
SHA512b6ca592dd95fc10a7f2434c377d1ae09e6d13e3069395c7313cf084ec6aac0844af5c76bb66a16040d63b1ff07474a13fa9013cb702eaf84f02249e03b3ac566
-
Filesize
1.4MB
MD5004fd9dd2139405b0802a521ac32a86f
SHA14df5be028216fd70d92722653c04c770d0ef187d
SHA256ef2bf12da1e6a651f73483faa4497c5d24658b3524f730d7a88eb9cb211b11a5
SHA51262cf1ce41681a8cc05b0612490659c5c746a35ac9ddb8250ccb89dd38e9a8e412e8b2c668ab288e00b134aeaebab44ea160b4dbca82bddc52348ed2440b00ea5
-
Filesize
1.5MB
MD59180cbdde03f6755669df48650d4caa1
SHA1e7aa8693481471f09f6a6cc3e47092f0f5a351a7
SHA256a750549ec0a430fbec6ab9a76365ba58989e9bac84162223b018413590cd02a7
SHA5124f53b5dd70965a741875a78383073cec12fba3a5c55391a747df89c0884243f651b8a74b859ac1dce1898952e7424ea6c8b9106677b1688cff33a5700f80e5d3
-
Filesize
2.0MB
MD5c3a01e7e8bbb9c224d0a3ff94e227ddd
SHA157915e98359b1a88dd8605ecba61314896b13e54
SHA256c04513b6833e8ca3ed171caa61ad3331f2397ffdeecc7eeb23721eb49c7b4ba5
SHA5120e930211daef1385c67a208a041dc027f401055b9240592579cdce96987f0293cbf7588f9282bd200422e4396abb0ece0abb50cefd055d5feb4bfc90a0768f89
-
Filesize
1.3MB
MD565034a086de4e9bd8576b3c8170c9004
SHA1e51241bca666cce02896fff28e89e0649d0b714c
SHA256cb055beb6eddb00a9a4cc24a541946c757e8e8d11f5389b1d6fa5fcb65e0cc49
SHA5123b21b917af07924008b5af5418c265600cf0f7cd99272462147fea94793b5a4cf82fc9390fa1056c14fb69c77a1b970a33b4e74c17467ada0ce76481435c84cb
-
Filesize
1.3MB
MD59792d4be711365325eeeb4788acc6bce
SHA1e5c7a77a9408355920bf72a90fbe804ae3ed3fa2
SHA256402f9f7c552a7e0135292bfcf080a6516c8507a4dce7bc36f0eac344139f972c
SHA512f5b208550d3b92f82eed40857deb5879f05e92e22beb105dca124894366655f5364a3a3309e3ca0eafb6e6dcd88218deb4460daa65c97b47ad985dde5870c858
-
Filesize
1.2MB
MD57e599fa7efcb6c04d8aa4fc7e6df383a
SHA132c4f72196b49f64191f48aee431e36bc4eb9ee2
SHA2566e7817c639b712376a8af5b694c1080f9fcafff7ed6364e6b7f16617d3866306
SHA5120125cb2a1d2102bf737f331a37f4e057f743ba083ad3fd9ba39fde7ef805e7808e9d3d814c6237a341d7080d95d50ba4e9dc1d3693d7215ba5792e8d219b7b34
-
Filesize
1.3MB
MD5cd85ab6a2adca358cc975df8d009d505
SHA140212b8d2495234e96d60ded576bfa978e2c8600
SHA256250497065f1129c646c6134a7406e2b040d491c23a306738cdcd0a18d05a61b2
SHA5125475d1d00bccbfb1767af7465bcf28a5554ba3ff4a989496abc2270548b0938dcf36f73783c5e485a1960dc3c5d1924ecc1c62d035eea1f8ddc3a2b2c9453019
-
Filesize
1.2MB
MD58ffc886e077ee64240d86ed4e075293c
SHA112e37ee96ee4c6d18c006a1ef26d5a06776508ee
SHA256f69ec1e8c232c9094cd70bd685da2e619f5184ed32c6fc22f655acbe4adedfb2
SHA5120186e646bf1acc3a130986d5bc965155cb11ced58b18560a6ab15b4cc9b941780e30049f321cdb2116063bf93ee6c4205fb0e5a0476379d579bcc613de9d4457
-
Filesize
2.1MB
MD5495704e7bb9d686f526bb215045db2d7
SHA107ad654f2b31a1eb4bcf2d111c7e5cc8580dff10
SHA256714f51bf3b38712b4469833aacb1312bef43414c1d1db9b975fb7f36933cbc68
SHA512515a942f40dc8b8c9a574bd7245b6e03f89d3664b6c3dcf0016b64dbdf1cf665a4fd50f4e5ac3ea40505a6a9e6293dc992fec6f26cf5f3c9c3d4c292e90c6124
-
Filesize
2.0MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
2.2MB
-
Filesize
384KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
1.2MB
-
Filesize
1.3MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.3MB
-
Filesize
1.5MB
-
Filesize
384KB
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.4MB
-
Filesize
1.3MB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
1.3MB
-
Filesize
1.4MB
-
Filesize
384KB
-
Filesize
1.4MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.1MB
-
Filesize
384KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
384KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.3MB
-
Filesize
384KB
-
Filesize
1.3MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
384KB
-
Filesize
1.4MB
-
Filesize
384KB