Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 05:12
Behavioral task
behavioral1
Sample
795b658d0b24ee576ffcaecfca6e0e7d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
795b658d0b24ee576ffcaecfca6e0e7d.exe
Resource
win10v2004-20231215-en
General
-
Target
795b658d0b24ee576ffcaecfca6e0e7d.exe
-
Size
170KB
-
MD5
795b658d0b24ee576ffcaecfca6e0e7d
-
SHA1
b546d3c58eb6a3a9ca82ed18d3969706474934a1
-
SHA256
7f5db97c477e0feb45031d61b6cb1a54da2e38afe6228db68ff0363445da8b55
-
SHA512
4d4f8d95bd6a4fea71e761b8306d7fbd9f47f3c0d6f3a682ca52be047ecca62cf7910d41f2e29784575c5035ada0713261f4adbb935afb2029821271efe660e5
-
SSDEEP
3072:DfLLXNjFCwEAHNcwNbBCcPcI3ZdlF1LS5aFZ0q4PMiXL8sUDIgqhloQt:bX9B1EAHawNlNp3/v1WMUtkiUW
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\pw.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
pw.exepid process 1600 pw.exe -
Executes dropped EXE 1 IoCs
Processes:
pw.exepid process 1600 pw.exe -
Loads dropped DLL 2 IoCs
Processes:
795b658d0b24ee576ffcaecfca6e0e7d.exepid process 1720 795b658d0b24ee576ffcaecfca6e0e7d.exe 1720 795b658d0b24ee576ffcaecfca6e0e7d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies registry class 36 IoCs
Processes:
pw.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\Content Type = "application/x-msdownload" pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "pezfile" pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\ = "Application" pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas\command\ = "\"%1\" %*" pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\DefaultIcon pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\pw.exe\" /START \"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start\command pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon\ = "%1" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas\command\IsolatedCommand = "\"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start\command pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open\command\IsolatedCommand = "\"%1\" %*" pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start\command\ = "\"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\Content Type = "application/x-msdownload" pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\DefaultIcon\ = "%1" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas\command pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\pw.exe\" /START \"%1\" %*" pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\open\command pw.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\runas pw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pezfile\shell\start\command\IsolatedCommand = "\"%1\" %*" pw.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
pw.exepid process 1600 pw.exe 1600 pw.exe 1600 pw.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pw.exepid process 1600 pw.exe 1600 pw.exe 1600 pw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
795b658d0b24ee576ffcaecfca6e0e7d.exedescription pid process target process PID 1720 wrote to memory of 1600 1720 795b658d0b24ee576ffcaecfca6e0e7d.exe pw.exe PID 1720 wrote to memory of 1600 1720 795b658d0b24ee576ffcaecfca6e0e7d.exe pw.exe PID 1720 wrote to memory of 1600 1720 795b658d0b24ee576ffcaecfca6e0e7d.exe pw.exe PID 1720 wrote to memory of 1600 1720 795b658d0b24ee576ffcaecfca6e0e7d.exe pw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\795b658d0b24ee576ffcaecfca6e0e7d.exe"C:\Users\Admin\AppData\Local\Temp\795b658d0b24ee576ffcaecfca6e0e7d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\pw.exe"C:\Users\Admin\AppData\Local\pw.exe" /GAV C:\Users\Admin\AppData\Local\Temp\795b658d0b24ee576ffcaecfca6e0e7d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\pw.exeFilesize
170KB
MD5795b658d0b24ee576ffcaecfca6e0e7d
SHA1b546d3c58eb6a3a9ca82ed18d3969706474934a1
SHA2567f5db97c477e0feb45031d61b6cb1a54da2e38afe6228db68ff0363445da8b55
SHA5124d4f8d95bd6a4fea71e761b8306d7fbd9f47f3c0d6f3a682ca52be047ecca62cf7910d41f2e29784575c5035ada0713261f4adbb935afb2029821271efe660e5
-
memory/1600-20-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-27-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-21-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-23-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-22-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-33-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-16-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-18-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-19-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-30-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-29-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-28-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-26-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-24-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1600-25-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1720-5-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1720-3-0x0000000000250000-0x0000000000276000-memory.dmpFilesize
152KB
-
memory/1720-0-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1720-2-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1720-1-0x0000000000400000-0x0000000000535000-memory.dmpFilesize
1.2MB
-
memory/1720-15-0x0000000002610000-0x0000000002745000-memory.dmpFilesize
1.2MB