Overview

overview

10

Static

static

3

a87755c0f9...0d.exe

windows7-x64

10

a87755c0f9...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a87755c0f943036da660fcb4d94ef20d.exe

  • Size

    6.2MB

  • MD5

    a87755c0f943036da660fcb4d94ef20d

  • SHA1

    cf65049b306a732b4c6c931aa0a348ac55247ffb

  • SHA256

    b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd

  • SHA512

    0978c37f36ae8d0c9b5efa87f3eeb865d4f31e6bd941a3d147532d5d141aaf60f86d8dbadbed019e8660d2501defb7a667d1ccbf97d9545e225542cb8055d45a

  • SSDEEP

    98304:Rdsae+qCYEe8Nu5/e+Nb9VE7yfmfoQXIC5cfkP93FvTARvXKnqN8ygsAHf:RmGs5/eIBO7yuoY5cEbTQCna8y6Hf

Score
10/10
googlecollectiondiscoveryevasionpersistencephishingspywarestealertrojan

Malware Config

Signatures

  • Detected google phishing page
    phishinggoogle
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • Drops startup file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 20 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a87755c0f943036da660fcb4d94ef20d.exe
    "C:\Users\Admin\AppData\Local\Temp\a87755c0f943036da660fcb4d94ef20d.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY1DD17.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY1DD17.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2112
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:2632
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:2540
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:2684
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1900
  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pT6449.exe
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pT6449.exe
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Drops startup file
    • Executes dropped EXE
    • Loads dropped DLL
    • Windows security modification
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • outlook_office_path
    • outlook_win_path
    PID:2308
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      2⤵
        PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        2⤵
          PID:2836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 2456
          2⤵
          • Loads dropped DLL
          • Program crash
          PID:1508
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2608
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        1⤵
        • Creates scheduled task(s)
        PID:868
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        1⤵
        • Creates scheduled task(s)
        PID:2504
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2808
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2600
      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ca24oY6.exe
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ca24oY6.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:992
      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bj0im78.exe
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Bj0im78.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:940
      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qV0gt70.exe
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qV0gt70.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UU4ap64.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UU4ap64.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2068

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      5
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Email Collection

      1
      T1114

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        d7f4c0842691f08ab874b710814a90af

        SHA1

        4514813fe64aba947d48d491376d98d9723f14cb

        SHA256

        c4f8a3f7855fe14bb2c791c4f255d31fa9de43c0b3fb8184e64f6ccf700bb724

        SHA512

        eec59d131fd91782bb017812a97108e99c818b210fc34da39a657fcb0bef373d8945525e11a1abc20aad456bf85f146f9ff62767d025cb40730b2c8a69eb06c2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        e0b619de7a8472b98eb354aeaf2ac786

        SHA1

        b4c701784ac50e70f59c75f2c65d041ba2b581ec

        SHA256

        249ddfe65656d8f7b91b0cb8bb2e59ccf4de348b74063c6de021a9913301b025

        SHA512

        5279e4f1dce01eb89f4c8cb06ccc533c7a05ea46b0972787d2bf362a4cd728d787f29114a5d1c27a275b0e283720b91061af13d5604ab7f22cf1c92c3915cee2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        5c0f9434968989ad0ccdacdd2e8f1237

        SHA1

        21a9bb5a772e93890fceeaf479a939357e243f5d

        SHA256

        662e8f4c98aad98968c1682887735567617b4bd95e318c0003c7414f23c0ae29

        SHA512

        db24fe7b51134579317f90f33dbdbc73f41083b47457bdaacf073a0cc2d2b020bb36141cfc6553e48d84090eca0071447db18e90ad8547c88a3e6a0676541218

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        21b2d463ada6fa924e2d8f9e93f77042

        SHA1

        30dfdb804824a4c6d99d037bbcf875949dbc088d

        SHA256

        b6f8159033e9102ac66a341fff5ca9985bdf54fc7a57925b1032a68bc131ae74

        SHA512

        58e91c007f5d50cf5339f25e2600e99989ebbaa498ced452c8688fa045d28c1bfec19020bcd50e24fed2dc113411404f728c9ed53af1c7fec05220bc80e25a68

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        3b07ba2fa6c6ef7da310421efb3284a4

        SHA1

        7015953565a02c2aed2eec0f980dfec43c185331

        SHA256

        356678142eac1fdb78b9cf560ddf9a600a10a5c03213ce8a3eae5f96931bd5dc

        SHA512

        ecf73ade394d215532694135cba1937216c96be1b2e2513b3dbb2a1588fba3d3afaac9485b49f2a9ac161c21f38f6cf0c66303f43978648acac5d769cc094ad5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY1DD17.exe
        Filesize

        893KB

        MD5

        294a07bae296e86b3f21c3e506fe54ef

        SHA1

        8c6c9a292497ced291ea6d06c40c244bc5e25ebe

        SHA256

        283f6b2e5e21237516030df8eee135175339605860fb34104eb29b66590345ff

        SHA512

        d6c0346b34765a7e3dbc3d517bd0619f59f3ab39773dbae320e2eb4e5f26182321dea74ee7458dbfd9147b63ebcb4eb35788840b43e4a20e1702bc14695cca03

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY1DD17.exe
        Filesize

        381KB

        MD5

        b9904008113c46fd9419856c227baae4

        SHA1

        e00267126db8ef2dba23e2399352d7a523b7e15a

        SHA256

        91edd30673b2e9b224a6bf7c858702c09f5bd78f304c78336df8610fd7374b19

        SHA512

        c39e220ecd09a891662eaeaed2ba3a74af405972c33e58555971797906465c4a7dc2e3f09401642415ad5f13c4bafcacab2bc59c12ca7bf8e15bab53c91c2a2f

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\qY1DD17.exe
        Filesize

        1.4MB

        MD5

        47a2cadc206100868eb3406c6d92209b

        SHA1

        4e38e03b90ae06849dc6ad7ff7ce66add83d1842

        SHA256

        e1c72d1e89602a99937cd02d1ec9220678b73ac81c110ec9b0653b82e11e081d

        SHA512

        915753bc8ef8e5d3fc1a68a482d5d8b4855016e6fdfc21388263a2d16e1cedb93225d3a05bad3934bcb48e9cf8927a950e5dc9c1be77bfd0ff0a6dc2f4c5b22e

        Download Submit

      • memory/940-59-0x0000000002870000-0x0000000002CCE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1900-70-0x0000000002B10000-0x0000000002B50000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1900-71-0x000000006D8E0000-0x000000006DE8B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1900-69-0x000000006D8E0000-0x000000006DE8B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2308-79-0x00000000010F0000-0x0000000001100000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2308-398-0x0000000001220000-0x000000000167E000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2308-473-0x0000000001220000-0x000000000167E000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2308-532-0x0000000001680000-0x0000000001ADE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2308-960-0x0000000001220000-0x000000000167E000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2308-61-0x0000000001680000-0x0000000001ADE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2308-64-0x0000000001220000-0x000000000167E000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2308-66-0x0000000001220000-0x000000000167E000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2308-60-0x0000000001220000-0x000000000167E000-memory.dmp

        Filesize

        4.4MB

        Download