Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 15:36

General

  • Target

    80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe

  • Size

    893KB

  • MD5

    1e79d9bf5b01707fd8b3081e69f5f7f8

  • SHA1

    58bcef993a3c58808afc4affb1c2fa6948f7a5c7

  • SHA256

    80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a

  • SHA512

    1799d68dc22e29790f49d4ea848fb5708716fe4dd8532994bc72805e2c85271762f7a92cc23cd04b394ce79e9d569231bc4ef8f7536d8b5c05370e82a3ce11bc

  • SSDEEP

    24576:UX0hD34ShYVRyg0l6h4Zo7EEasEiDA4ONxjQTDpGTlbcm5:UEcShYV90l6J7DasEdrjQXpGpbD

Malware Config

Signatures

  • Possible privilege escalation attempt 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies File Icons 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe
    "C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies File Icons
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:112
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c @echo off
      2⤵
        PID:2576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
        2⤵
          PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini
          2⤵
            PID:2932
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c regini regset.ini
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\regini.exe
              regini regset.ini
              3⤵
              • Modifies Internet Explorer settings
              PID:2424
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
            2⤵
              PID:2436
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c @echo off
              2⤵
                PID:2488
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
                2⤵
                  PID:2852
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini
                  2⤵
                    PID:3044
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c regini regset.ini
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:860
                    • C:\Windows\SysWOW64\regini.exe
                      regini regset.ini
                      3⤵
                      • Modifies Internet Explorer settings
                      PID:572
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
                    2⤵
                      PID:552
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c @echo off
                      2⤵
                        PID:2408
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
                        2⤵
                          PID:532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini
                          2⤵
                            PID:1388
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c regini regset.ini
                            2⤵
                              PID:920
                              • C:\Windows\SysWOW64\regini.exe
                                regini regset.ini
                                3⤵
                                • Modifies Internet Explorer settings
                                PID:1680
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
                              2⤵
                                PID:2492
                              • C:\Windows\web\sms.exe
                                C:\Windows\web\sms.exe
                                2⤵
                                • Executes dropped EXE
                                PID:1280
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 2&del /q "C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
                                2⤵
                                • Deletes itself
                                PID:2636
                                • C:\Windows\SysWOW64\PING.EXE
                                  ping 127.0.0.1 -n 2
                                  3⤵
                                  • Runs ping.exe
                                  PID:2344

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\regset.ini

                              Filesize

                              118B

                              MD5

                              06697bf2f4f5395a9af659f50df00e3b

                              SHA1

                              01925ffbeed3e54e134e1fafaef8ff640dda9107

                              SHA256

                              8868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1

                              SHA512

                              9c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73

                            • C:\Users\Admin\AppData\Local\Temp\regset.ini

                              Filesize

                              118B

                              MD5

                              b141c6974c48fadca812a060e03f8200

                              SHA1

                              bfc010eeda61bd2bd6d3b7963570cbc7d7539037

                              SHA256

                              68a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e

                              SHA512

                              353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138

                            • C:\Users\Admin\AppData\Local\Temp\regset.ini

                              Filesize

                              79B

                              MD5

                              2c545704057f619fa7fb3f994862f181

                              SHA1

                              b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd

                              SHA256

                              0a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0

                              SHA512

                              5875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84

                            • \Windows\Web\sms.exe

                              Filesize

                              775KB

                              MD5

                              628ca25523c98eb00cee7503787f78ee

                              SHA1

                              7b1c2393002e35ea36f4e20c5d6dd87d14542408

                              SHA256

                              6f01b51d56b152362ad864e5c4e3f8979aa60c565021e0eff2b34fba422d4870

                              SHA512

                              07eca622f5d10b2d5892417dc872ecce2d1b0b8e6a1c6916186770c685038e8cdf4ebc01c50fd6ad47e981f8b7a7c9bdc05e1e71fbba54cab1d5b34cb8edc639

                            • memory/1284-0-0x0000000000E00000-0x0000000000F59000-memory.dmp

                              Filesize

                              1.3MB

                            • memory/1284-18-0x0000000000E00000-0x0000000000F59000-memory.dmp

                              Filesize

                              1.3MB