Analysis

  • max time kernel
    12s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 12:25

Errors

Reason
Machine shutdown

General

  • Target

    5b3b205391d33ff3e85780985bd44398.exe

  • Size

    2.6MB

  • MD5

    5b3b205391d33ff3e85780985bd44398

  • SHA1

    408bda11e611b5b5b4a7d4ab952722c5c5ca395f

  • SHA256

    6ea34f6a117de5a499a46a7713523817b222ae7ff483861fb41212edb59878cf

  • SHA512

    cac77c9cf536e02ec12b624336739382322e85b9427eec7ccae89a905d873b172d4c6b8fdb1128ecec61e45e2a4b3fb0303fbca25b0001ef952a6ef3042c5b74

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 7 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b3b205391d33ff3e85780985bd44398.exe
    "C:\Users\Admin\AppData\Local\Temp\5b3b205391d33ff3e85780985bd44398.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1520
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3982855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4580
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /Shutdown
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe
      "C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe" 1
      2⤵
      • Adds policy Run key to start application
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3836
  • C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe
    "C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe" 2
    1⤵
      PID:4072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Parental Controls\settings\yCgxBKELIoRjT.exe

      Filesize

      94KB

      MD5

      b42f0cc80349be918a559f7779754d2f

      SHA1

      d212ed139ffd15e663aa2ebd9438c6dbc23b4613

      SHA256

      d9d82b37a5eec8543cb649cfaa94d399277deb6acfae654b0cb85aac7b81842d

      SHA512

      a10ee4921a57a9b17d326f22b6beca4cbd01f9d7da87c5bb9bcce1a31109a4a835ad45e801cf446d8a561f47edbfadabbb8cb23746888f05495209dbae857c21

    • C:\Users\Admin\AppData\LocalLow\Sun\Java\SBY9YcW3mLV9LC9In3qDu8sFQLCZH4Q0JHtKZzF.exe

      Filesize

      546KB

      MD5

      2d29be7d6e6b48e1e5584296bd796f71

      SHA1

      a90f177f3e26a9272a313a04774efb5a7ea1ba76

      SHA256

      25975a708c9646a6cd36bb9d78a500afe18434bc358b0ff9165f044d2445a6ee

      SHA512

      55ffe66d8daae741abb8a4aef6c3344da0dcfc93f38d3ee4813abf8259a35815e60ed4fc291907d89281add171c33f7bc242439d749fed570fea43b8c21b819b

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\MEIPreload\vlFO7tBJwRGKGxdk3IN.bat

      Filesize

      810KB

      MD5

      c2e88ea6566c8adbeea031f6e3854312

      SHA1

      5a302ac50b579fb45b75f60aa5ef1123a28a912e

      SHA256

      7851b570564138910a9e0414af62296ec9c4d417f7e825d1bb5811ccab7ed8ac

      SHA512

      96d62e0d96cf7eca653ccd0a53bf64823d4dfe640d2ccb18c9c403c039edb82e23b01bcbe489fa3d4effd4dc45013b597eea882fbc2570c98d7c9e2b6eab1362

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Extras\rI5aImUhLpS9kE2iU0EXFOi44AmTrseLvPl98tXuKZ.exe

      Filesize

      576KB

      MD5

      b6f95a35e9d79ed83cb0fb83b6fcef9d

      SHA1

      3bdf73d189de26570e0ec19eba4b42d7bdb28ca5

      SHA256

      67560fd424241a0e212c6ca454dbbdf6d3c8f21f31660d9beff6da48820ac76a

      SHA512

      d71604dc3dcc37d2084ab099f811c8be5b183580997fbfde7d3a9fcf8a5c2b6d182c3dcd6e584c2699e032fe3b8ec9850705de16a9939d35646d185aeb4256b4

    • C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe

      Filesize

      1.9MB

      MD5

      ada7c110f9b9fb4c9299daeb634e02df

      SHA1

      3075bfbb8cc296b4583e627c9cea7a00bbc6104a

      SHA256

      f25e58773ecb1b49f96d787f0e52e1669cb553a38c8caa7b1fa4df89970962c6

      SHA512

      c5ef4f5a541f5aba20798343d7b2b0fcea68c3e5be7fb072f06991801e4d06f7decbf460705aafe51c3f7b6219a2143a56f38619a1092e0acc83cf2a221b7814

    • C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe

      Filesize

      925KB

      MD5

      55fa9ed370c30363f0e9f03e0021f01c

      SHA1

      2542206e4cdb807c1b4bdffa1b6ad2e80ceb5d91

      SHA256

      28da68499e9b17d57788ff8098de17d1806b2ec8399b80e271710ce0b1bd99bd

      SHA512

      d1a6c807261f07215b05d2641c563c470c8ae18fc685e9d8e65d26f4192da4cde7c4f67fd5c9b57ecb3027b69162de888171c55e10fccddb3b294e114f97f5ce

    • C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\w5pIr8OkXHy3hnow9getMtQyB.exe

      Filesize

      1.0MB

      MD5

      96999c59b791639e0d9a3c40555cd167

      SHA1

      fd80ac95194e726e159e8b646b96af1e301644df

      SHA256

      203031e9b1e82526c441be7bb259b4cfa9b21374092c7a2acc4153478a374a2d

      SHA512

      672f2a7c55211105e71f3aa2ce6e7762f20e9c13c67922bfed0df5cd518bf2bff2f7bdd6ba3738b3ed351638dcb83cc6d03bbb73d59347b0e4e846bec54d16d6

    • C:\Users\Admin\AppData\Local\Microsoft\input\pl-PL\igkSd8ObWow.exe

      Filesize

      518KB

      MD5

      eb83a58df37f10a0fec85eeb6c45913b

      SHA1

      e0d7c58e3aab9d5a79d3121169a4a4e613301125

      SHA256

      848f591a01308a825303463f62daefc58ca7a1879ffe64b95c398da73b6c28a6

      SHA512

      f77a2229b0eedf1e62401d832337973f9c81b6ed9d3695814794ba2c50bfecf2d114f331ef86cece1c018c177a14278f18d2ea8ad8c5387a1196b233963c2be2

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\dirUFO5Ng15qM4Z0LDOl01djEV8iUG5fwlJk3XPJrTvlsrmcVEq9mvdfZPf2P9DCS0e7x1a.exe

      Filesize

      642KB

      MD5

      ca90f894d1d3b5b39facd0acd8652a6c

      SHA1

      36e75d2ed962ad74aad6127d4c4d1c14696aa981

      SHA256

      f48b45cab722ae4c1fc07c84992dbc33280d6e43f642ac2bbfbed63bd824dd54

      SHA512

      d4f35397aff20c44da6eb706722a728435533da3992753c35279ca7ea514ee2bebf3c071593021531369a7e6ef82b25bcbeb19b772a31147de41b40f123b6e4d

    • C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\uGTQfgaNF4bGF95xzH03ZKFiZzyje5cT2gmHAAk3GpM5AtOIntguq0E3WMyEYjPkhCBsz.exe

      Filesize

      64KB

      MD5

      003bce03f63eb63dec992faacd5150f8

      SHA1

      ed64c9d32dc0d72ddcf47ae311b852a2b7082235

      SHA256

      08727a3c984361e1077326be2ec6f2f68fecc22b0e2a61347a80c9e8daa67506

      SHA512

      3ee190a92b9ca8aeae201e46d3fbda387cd13bae382db09565692ec3c423d586d83ccc547fc3d2a1f3f581952b33bd11e23ea801ee2666178b477e1d66f27468

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\9RhRb96VPIU8IpWDJbQ339HHnO6bfOTYUfn9hqjdM0wN4G6W7pFhn2TjhqSpRkNz.cmd

      Filesize

      615KB

      MD5

      351c1adbcbb380a1e61325f6b05e6bf5

      SHA1

      c73ff6d4c4482fca09799d5096cc080a921791e4

      SHA256

      1e908394462e32450b2cb957e97b0f357a62798b21b233b3d8148625323d5a32

      SHA512

      744c7b1304f8ce601b1213d13e04dfe6371b6aa17d31ecf86bcf7bd2b7f95087a23237120b6e3b89b23ed633ca243c48432c0eb2fc7ab67cbe1f4fc44dd31d1f

    • C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\7SEfGHzMJTPAQ1q2E5j2YjKT6NdRuJyHFKu9Xi8NSE0U9CDw0.exe

      Filesize

      689KB

      MD5

      f77705eb87318010db719f1568849af5

      SHA1

      0c7d1913268c3d58482327be8ad676a3d31dd107

      SHA256

      6022f2d24d87b1c69346bb9d888b8b13313f3d30076236add3452d0cd4564a96

      SHA512

      8f6c35dab11b0ca4a6059cd1805ee70b2bfe79d6df803bbde6cb34cc479bd9981bdd1f24426ccc30f873aa219424c7f542c4398e45a80850ce5f5552d2358682

    • C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\QSF7tTNptQGgSFg0CYcuNEYFZJ6dMnqKx5M9t6rlvXMsNXXpzxTWoajWEsHg94j4L.exe

      Filesize

      952KB

      MD5

      b7aea418d57a3514a81f7f4672859cf7

      SHA1

      697b96d0a81aa15c4421c24d4661fb18ee8a388e

      SHA256

      dbee41641d46165ba2b9fca35fe3cebb8c882695e1406c2708be1476d7ce6aa4

      SHA512

      99bd32a8eca61979b40e67ef30465c9e36e1fae795d4d85e194a552f6f2ea8638383721284a1821d1a4176a7240ba56fef1602c8055084b3c27b8b66b05fd43f

    • C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\QSF7tTNptQGgSFg0CYcuNEYFZJ6dMnqKx5M9t6rlvXMsNXXpzxTWoajWEsHg94j4L.exe

      Filesize

      1.2MB

      MD5

      6d0b5598071cc432a3afd4d00ed1dbb9

      SHA1

      d0d70b71fd122bd314f5b7d890058a1ac3a39dba

      SHA256

      6fcb1d03f0f384ecd3fc8e56a8e0d9020a92476a7ddf90635232ef46a0a9ae55

      SHA512

      912b012298e91e37ffa651965361047987287aa07f865d488dbdc4737dda0a4b911fdca32f39f3e10cfadbcb22659f8bc1a1adfb2f024046e861b40489b8cd59

    • memory/1520-0-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

    • memory/1520-34-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

    • memory/3836-552-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

    • memory/3836-530-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

    • memory/3836-37-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB