644ba316e402faf534a3feb88d6da4ab3299dd337d961fe961f0e89c608e0362

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

885186e0a72510f6888e8ca1780f3c5d.exe
Size

114KB
MD5

885186e0a72510f6888e8ca1780f3c5d
SHA1

57dc5452bd6fdc67e8177a92c8cf6b39722d32a6
SHA256

644ba316e402faf534a3feb88d6da4ab3299dd337d961fe961f0e89c608e0362
SHA512

d2da6a6f8a09367e9b08f186ca8546c19a676938951df9ef79663d135cc425b6d2d8295cdd38a7603e426958320836258a6fc28cdad5868756b8d4ed02f60cd4
SSDEEP

1536:TeqejnOkp/2d3C24gJdJp+c2vOUHkrxbBgJiKLDVOpJrnzqYoEZnx3kWGM3SnC6D:TnejnOk/OPpeOUHygBUvZ6WPkVB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	kuod.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	885186e0a72510f6888e8ca1780f3c5d.exe
2324	885186e0a72510f6888e8ca1780f3c5d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy	885186e0a72510f6888e8ca1780f3c5d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	885186e0a72510f6888e8ca1780f3c5d.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2204	kuod.exe
2324	885186e0a72510f6888e8ca1780f3c5d.exe
2204	kuod.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2324	885186e0a72510f6888e8ca1780f3c5d.exe
Token: SeSecurityPrivilege	2324	885186e0a72510f6888e8ca1780f3c5d.exe
Token: SeSecurityPrivilege	2324	885186e0a72510f6888e8ca1780f3c5d.exe
Token: SeSecurityPrivilege	2324	885186e0a72510f6888e8ca1780f3c5d.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2204	2324	885186e0a72510f6888e8ca1780f3c5d.exe	28
PID 2324 wrote to memory of 2204	2324	885186e0a72510f6888e8ca1780f3c5d.exe	28
PID 2324 wrote to memory of 2204	2324	885186e0a72510f6888e8ca1780f3c5d.exe	28
PID 2324 wrote to memory of 2204	2324	885186e0a72510f6888e8ca1780f3c5d.exe	28
PID 2204 wrote to memory of 1044	2204	kuod.exe	13
PID 2204 wrote to memory of 1044	2204	kuod.exe	13
PID 2204 wrote to memory of 1044	2204	kuod.exe	13
PID 2204 wrote to memory of 1044	2204	kuod.exe	13
PID 2204 wrote to memory of 1044	2204	kuod.exe	13
PID 2204 wrote to memory of 1072	2204	kuod.exe	12
PID 2204 wrote to memory of 1072	2204	kuod.exe	12
PID 2204 wrote to memory of 1072	2204	kuod.exe	12
PID 2204 wrote to memory of 1072	2204	kuod.exe	12
PID 2204 wrote to memory of 1072	2204	kuod.exe	12
PID 2204 wrote to memory of 1112	2204	kuod.exe	4
PID 2204 wrote to memory of 1112	2204	kuod.exe	4
PID 2204 wrote to memory of 1112	2204	kuod.exe	4
PID 2204 wrote to memory of 1112	2204	kuod.exe	4
PID 2204 wrote to memory of 1112	2204	kuod.exe	4
PID 2204 wrote to memory of 1876	2204	kuod.exe	8
PID 2204 wrote to memory of 1876	2204	kuod.exe	8
PID 2204 wrote to memory of 1876	2204	kuod.exe	8
PID 2204 wrote to memory of 1876	2204	kuod.exe	8
PID 2204 wrote to memory of 1876	2204	kuod.exe	8
PID 2204 wrote to memory of 2324	2204	kuod.exe	16
PID 2204 wrote to memory of 2324	2204	kuod.exe	16
PID 2204 wrote to memory of 2324	2204	kuod.exe	16
PID 2204 wrote to memory of 2324	2204	kuod.exe	16
PID 2204 wrote to memory of 2324	2204	kuod.exe	16

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\885186e0a72510f6888e8ca1780f3c5d.exe
  "C:\Users\Admin\AppData\Local\Temp\885186e0a72510f6888e8ca1780f3c5d.exe"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\Ebet\kuod.exe
    "C:\Users\Admin\Ebet\kuod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2204

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Lopa\egir.ecu

Filesize
366B

MD5
c36a96fc87d298b54aeac0267b1dbca6

SHA1
6acb6ee0815378809b7d19e5814f7163ba76be62

SHA256
f9cf0afa7ce92dd8723cbca3df660d62f6c2b3a371b55d173c6c08e3e620e7a8

SHA512
0ea22b4524f3400af45724d0412c560047840f640e010224d771bf808d34e490bdea5d3b547e38a0c68a790a97046fc72dabdcf42354d0c101efd5041ebfb188

Download Submit
\Users\Admin\Ebet\kuod.exe

Filesize
114KB

MD5
b0b841b0c37eca5466834fe2ef650486

SHA1
b8734ce43a0fe873daca2d2b04038fa256922a9d

SHA256
086dbda7286541d05d260c1a70d3c11c9517c5a447a8b38ee8328b43f11d8180

SHA512
96b620194e081fc911cc3d697249408d201151db22d59924c922be4c13ce42ea520ecf079b53084354a84bd9d32f5a29f38f56f8af64079bdcaeaf3c71fed4ab

Download Submit
memory/1044-21-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1044-19-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1044-12-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1044-14-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1044-17-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1072-25-0x0000000002DB0000-0x0000000002DDC000-memory.dmp

Filesize
176KB

Download
memory/1072-26-0x0000000002DB0000-0x0000000002DDC000-memory.dmp

Filesize
176KB

Download
memory/1072-24-0x0000000002DB0000-0x0000000002DDC000-memory.dmp

Filesize
176KB

Download
memory/1072-27-0x0000000002DB0000-0x0000000002DDC000-memory.dmp

Filesize
176KB

Download
memory/1112-36-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1876-39-0x0000000001C60000-0x0000000001C8C000-memory.dmp

Filesize
176KB

Download
memory/1876-40-0x0000000001C60000-0x0000000001C8C000-memory.dmp

Filesize
176KB

Download
memory/1876-41-0x0000000001C60000-0x0000000001C8C000-memory.dmp

Filesize
176KB

Download
memory/1876-42-0x0000000001C60000-0x0000000001C8C000-memory.dmp

Filesize
176KB

Download
memory/2204-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-49-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2324-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-58-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2324-55-0x0000000002B50000-0x0000000002D14000-memory.dmp

Filesize
1.8MB

Download
memory/2324-54-0x0000000002810000-0x0000000002990000-memory.dmp

Filesize
1.5MB

Download
memory/2324-45-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2324-56-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2324-47-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2324-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2324-51-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2324-53-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2324-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download