Overview

overview

10

Static

static

3

5b3b205391...98.exe

windows7-x64

5b3b205391...98.exe

windows10-2004-x64

Analysis

  • max time kernel
    74s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2024, 12:25

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    5b3b205391d33ff3e85780985bd44398.exe

  • Size

    2.6MB

  • MD5

    5b3b205391d33ff3e85780985bd44398

  • SHA1

    408bda11e611b5b5b4a7d4ab952722c5c5ca395f

  • SHA256

    6ea34f6a117de5a499a46a7713523817b222ae7ff483861fb41212edb59878cf

  • SHA512

    cac77c9cf536e02ec12b624336739382322e85b9427eec7ccae89a905d873b172d4c6b8fdb1128ecec61e45e2a4b3fb0303fbca25b0001ef952a6ef3042c5b74

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:592
      • C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
        "C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd" 2
        2⤵
        • Sets file execution options in registry
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:112
    • C:\Users\Admin\AppData\Local\Temp\5b3b205391d33ff3e85780985bd44398.exe
      "C:\Users\Admin\AppData\Local\Temp\5b3b205391d33ff3e85780985bd44398.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2264
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2800
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1652
        • C:\Windows\system32\gpscript.exe
          gpscript.exe /Shutdown
          1⤵
          • Loads dropped DLL
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
            "C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd" 1
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Adds policy Run key to start application
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2792

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\Mv0RlxAJkeas01F589YatgX7WxCfwNZJF3v55NqlTEVbXX8lXX8WTXxEipkh0.exe
                Filesize

                950KB

                MD5

                cc38c0b73de0427fa595a62bc0b212db

                SHA1

                1d6657eba0023819097415ddb592c93e438664d3

                SHA256

                5e13c6adf50df564e3a74f859fa2fe4dd60e6b0b6693db685d3c1d7769a4430b

                SHA512

                51ef90e4ce4d7811dff74976e66b9d66d59f5d251a03b3f91e48fb483fb0df48561222279cd10b4b288484aa593038626cfbdab1bf7293fa02b703824f18672a

                Download Submit

              • C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\nVa7PV9ALvgghCjGXjQRubD0NHYL7YYNE2HmS1cADO4KACpYQgYdNNNbJptFu7uw4cedYs.exe
                Filesize

                1.3MB

                MD5

                687a1d9f4e827e695b59517c9e3eae31

                SHA1

                21ad7122f3e4628a60a90e1a0e6222036f21763b

                SHA256

                d80f12ef95580e7dee25b056c71bc6b7e1493e2ec3a2b038d0184d1a3489ca9a

                SHA512

                00cd7e44c87f593d654385364fb0533cfe6805f8f553b0d89f2ca96ae0250b7d9f8df46fec670d6ca860a7953f668b79674472534e5d567dca1c8ab72cbed07b

                Download Submit

              • C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\13zJKPQszOpoOgmaF2I0JvOz0nnEBQUQKY1.exe
                Filesize

                954KB

                MD5

                fe33de3381cce3092a770d02e9cbd38a

                SHA1

                2a24cd1a0912ecfadfc662a682e8d55a3f4bf914

                SHA256

                645ca4b8b1578ce645a2e9499203a1655532a6a87d0c8cca2ad9c3bc995bd036

                SHA512

                7594127c2c6a96e45e9721ec10029380d562f5389f94e9442c7c64bae9a6c72b391e3e2b1fca72d5938ea5f2e60e7c601e66f5f3cc98f34a6a49de7f27c7881a

                Download Submit

              • C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
                Filesize

                2.2MB

                MD5

                3c2404e3159a087e6b185882dee34ff9

                SHA1

                44ca366aba202a9dc6271a37aa671f7c67286790

                SHA256

                8a310a9dc07408a6861f35abda8e58c6117ffaa04bb776241021086b2cd309b7

                SHA512

                46c447b384cf4a21e0c37cf8969984a7a3ae96712b338e51a72d596f663469346555e32ee1b1d3837008a3cf97467d60ef05d6af9f1874634036cd7b013e62e6

                Download Submit

              • C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
                Filesize

                2.0MB

                MD5

                7dd90326a3c4d8e5d679b63171d5e11f

                SHA1

                f1bc29a5a2766d23f8b2016496805d56aa9d93c6

                SHA256

                ac9d6602b480633fe004315aec4391413471c793ac3c477ae7a416162a3fea38

                SHA512

                f63c2b56b3b59ec1085449dde1e8552b6158d3fa26de5f6a80a20b1c2f6d3d80af655f602fa043ad5bb8adcfb510d199705461b0e7a517edbc8b720d561a8ba1

                Download Submit

              • C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
                Filesize

                1.7MB

                MD5

                682c141730b20e65f193520ffb71c069

                SHA1

                41974303b074dc0548c35b06fdc77402acc7daea

                SHA256

                11de93461cd065c5553b7b36e754f952370560dc390314a79e03e9e3e3215eb7

                SHA512

                cbd0da461821cb460baec16db4f12f6fcd034ce1a27295e1be2f67b8c2bacdfc8a8ecd49e14a74a55ded21cebd84324d45e47f769467812fbe3de9809eacc906

                Download Submit

              • C:\ProgramData\Microsoft\Windows\DRM\ytvRJhmiw9nhY1.exe
                Filesize

                3.0MB

                MD5

                d9f36dfc21deb65a04f6d8aeef2793ee

                SHA1

                c45897f1da5893f117456beb2f191ee6de2ad9c0

                SHA256

                aa29adba8e30b1d4905b735a91a0958cce7d80b6f53598b42f9c2092a37e62cc

                SHA512

                31adb1ab4276d4792e0139ef0e804b98a6845ba38c179afb3caf18e164b0cda9d2382de1ea3c1c6f3b04f9aa822d47c69903b1434efe6915f3d6acb659d5416d

                Download Submit

              • C:\ProgramData\Microsoft\Windows\DRM\ytvRJhmiw9nhY1.exe
                Filesize

                968KB

                MD5

                ff92c8c9d64cc81877c8bccc60983100

                SHA1

                9ead5f320e2db76d45d250d90175b9b4a528af36

                SHA256

                8d7e04ead03f2c1c7510e83532f2a8f9fce44e72e1d8b298184665c1d0cdea9c

                SHA512

                5feeee50a15ad0f91acb7b95b904c353a15e42f9f9d7c21523ff3f59870c9bdacbb92eafc26699b2335daede9964e99d666fb011b58fb12b29115e1e8c98768e

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\Qp7TxfihXk1h.exe
                Filesize

                875KB

                MD5

                bdba4571e3c199c313bc30bf161284ea

                SHA1

                937679271991faab9986ec0591cbe0dcf212d430

                SHA256

                7fc50dd71e5fda7bdc08737d814fbb002c3e5fdddc7475d752c9251e8954db29

                SHA512

                ba8a919d2deaa330a09f056ee6d7408e1944fc8c233f7c2428f57e870cd00f5fa58557da19a0c854341b9e9d70a4d2fb769610c4f39871f801d243d74e3c6dd3

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\y1nsnMKSBtiEXE7dTOjDqfVRUoHdUxPfXNzyIfK6oN.exe
                Filesize

                3.2MB

                MD5

                b2eb550085824353e2e13589122eeb2c

                SHA1

                59a92261d4e492c45140e47039ef9f2352ae419c

                SHA256

                2e72d98532ae0136d53798cbd053f27a3b53a80a67c8a4192a543d4f4b639fcc

                SHA512

                1d27c287ace6b6fa64503b407811f040f6f0c3eccb57b3f02f2c775ad7981a2bbdc481fc4da13fb661c20bb17078912012799d7e83be5225ad9528c0e609fb43

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\diM10SsKOpEKljgiOwWnmGyWJnZ4IBGDNkjAC.exe
                Filesize

                1.1MB

                MD5

                6ed6595359f62203dc0de22380342d78

                SHA1

                b8413439d6b02e55f8d79083d563b094fe206238

                SHA256

                e194d8509feaa2edd3e8c46ab20977e51779609afb1fd4dfbea620eb5eb72430

                SHA512

                d551feae5de1da0b7c4b9601085f4749b3df9934fcfd83e1ec2fa13132c88f54acd6bb57d7a5e8e78f7cf17f5208d02a729836111d39174baf624e20ab885547

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\4IaJ6ylpksaL29MENX.exe
                Filesize

                934KB

                MD5

                fc89b6c217e53aea99f7507c59afde01

                SHA1

                3a290676a86344d44345b1eb7e3e36c3117ce685

                SHA256

                e1c73a5e7f56efcf198e9574c7b9f37760ec04fc01f7af3974c2325f6cd9205e

                SHA512

                49caa122697822fd53fc666ee75e1ee6816b80fe566d81c4490f5b0703fcbb2db36cfe00d19e3b70f21d3e8d8b091910d59d68e9fc74dcb4fc69ad4680c3ddf0

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\14t8eq6w.default-release\datareporting\glean\events\LktVNUyJGlnPMDpqOLv14vyzHzJG0LkE.bat
                Filesize

                1.8MB

                MD5

                0639edab3988f6ad0bc45b788e4a1458

                SHA1

                f38b8d886eea6db714ab4da7a8d430da5c7c57b7

                SHA256

                5d22e726209ef8a2b89a6f42d597c30933bde122000111850f9854a935e0d1e6

                SHA512

                46d963fa8412bed5a29e652b8e7bed1ed4dfdb39537b0d5e15f5d7719c037d6fcac8007cb4dbc50a82c3f2d46ee313b88a58aede783b1d9ebfbac8a04fc43faa

                Download Submit

              • C:\Users\Admin\Documents\2nmDAX63N32snS3asngmaziOMeDnZMx.exe
                Filesize

                1.1MB

                MD5

                2b25b111ea369404bb0a868978e8b3c3

                SHA1

                d398149ad4ef1576199da1a5e32fb811d37a93e7

                SHA256

                4ffb9d18a4117e84c584b5debf41b9d7e309dfb22cc9edea4df3aa2f877025c9

                SHA512

                755a121d9cd3d32534ab26323826a53714ed7d05f3fa4446a8c3e87ec025330b2d917faec6c8fa6f8e8ba63b6bebd93ba2306f9a22d1d99d790256f1c3596199

                Download Submit

              • \ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
                Filesize

                2.5MB

                MD5

                a6a8aea91c42eec98e7be70162f22bd3

                SHA1

                af8b6e38b7778b9fe3b5b2df6fa5b5924c807e4b

                SHA256

                0c59e79f57d94ffde13a7785146370d51cfbf92802434856eae9f78cd64543a7

                SHA512

                e86b96d6624122b34b94f1d0413410f687458ecb8e46e9404de5ed6a901a8c43ee5024b0eac0e2d96339c610bd91f0c8a0b082b4522cbc77c8dd6083caf6b6ec

                Download Submit

              • \ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
                Filesize

                2.1MB

                MD5

                04b2a8664a488b48bf335539352cd22f

                SHA1

                6bda6526691af7665c1d83e79498e65afbf2e275

                SHA256

                56f351521216e8cb234e913ec3893ad621cc4a1bc5539d4114a93f6bce1f781e

                SHA512

                66cf073f031a339f82625f691457d84cf65d0b0d637f158ebfd6b6e4cb778af8454f9c50dc762cd82718a6a54d18aa8c6741e75497f9a295a90a1ebf9244ff04

                Download Submit

              • \ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\VEe497jG.cmd
                Filesize

                3.2MB

                MD5

                3ded2b43d89188baea3290bd609e5645

                SHA1

                94d06ae735e60fd942e9cecce7563155651fddd1

                SHA256

                ca2337614e2c48ffff6c42876c7d46e8f0077c63a6ce2eca49a194cce93f724b

                SHA512

                58b54707b4941c1ee9b93f677325458e2ad102aa77fb86b5d01cfb095103e0d454e6bfe13a95730395acab0ae0c3e6471ba188b7b1a2a3dcc4da09a5fff60aa2

                Download Submit

              • memory/112-471-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/112-474-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1652-36-0x00000000026E0000-0x00000000026E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2264-0-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2264-34-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2792-336-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2792-418-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2792-460-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2792-470-0x0000000000510000-0x000000000053D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2792-469-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2792-170-0x0000000000400000-0x000000000042D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2800-35-0x00000000029C0000-0x00000000029C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2928-245-0x0000000001030000-0x000000000105D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2928-41-0x0000000001030000-0x000000000105D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2928-38-0x0000000001030000-0x000000000105D000-memory.dmp

                Filesize

                180KB

                Download