Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 15:36

General

  • Target

    80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe

  • Size

    893KB

  • MD5

    1e79d9bf5b01707fd8b3081e69f5f7f8

  • SHA1

    58bcef993a3c58808afc4affb1c2fa6948f7a5c7

  • SHA256

    80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a

  • SHA512

    1799d68dc22e29790f49d4ea848fb5708716fe4dd8532994bc72805e2c85271762f7a92cc23cd04b394ce79e9d569231bc4ef8f7536d8b5c05370e82a3ce11bc

  • SSDEEP

    24576:UX0hD34ShYVRyg0l6h4Zo7EEasEiDA4ONxjQTDpGTlbcm5:UEcShYV90l6J7DasEdrjQXpGpbD

Malware Config

Signatures

  • Possible privilege escalation attempt 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies File Icons 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe
    "C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies File Icons
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3080
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3668
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c @echo off
      2⤵
        PID:3404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
        2⤵
          PID:1100
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5CE25775-92B7-477d-9603-852F0B34D8B0} [2 8 19] >regset.ini
          2⤵
            PID:4664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c regini regset.ini
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3592
            • C:\Windows\SysWOW64\regini.exe
              regini regset.ini
              3⤵
              • Modifies Internet Explorer settings
              PID:1008
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
            2⤵
              PID:100
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c @echo off
              2⤵
                PID:3604
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
                2⤵
                  PID:2064
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A481937F-4D99-4B11-86E6-5B0F1007C557} [2 8 19] >regset.ini
                  2⤵
                    PID:756
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c regini regset.ini
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1796
                    • C:\Windows\SysWOW64\regini.exe
                      regini regset.ini
                      3⤵
                      • Modifies Internet Explorer settings
                      PID:1800
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
                    2⤵
                      PID:1520
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c @echo off
                      2⤵
                        PID:2144
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c if exist regset.ini @del /q /f regset.ini
                        2⤵
                          PID:4832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c echo HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes [2 8 19] >regset.ini
                          2⤵
                            PID:3396
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c regini regset.ini
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4400
                            • C:\Windows\SysWOW64\regini.exe
                              regini regset.ini
                              3⤵
                              • Modifies Internet Explorer settings
                              PID:5100
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c @del /q /f regset.ini
                            2⤵
                              PID:4104
                            • C:\Windows\web\sms.exe
                              C:\Windows\web\sms.exe
                              2⤵
                              • Executes dropped EXE
                              PID:4560
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C taskkill /f /im msedge.exe
                                3⤵
                                  PID:5088
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im msedge.exe
                                    4⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:956
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 2&del /q "C:\Users\Admin\AppData\Local\Temp\80ac8da6cd68d70640b3344da6e7884b25fc3c588162ae589d194599030f481a.exe"
                                2⤵
                                  PID:4580
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping 127.0.0.1 -n 2
                                    3⤵
                                    • Runs ping.exe
                                    PID:4980

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\regset.ini

                                Filesize

                                118B

                                MD5

                                06697bf2f4f5395a9af659f50df00e3b

                                SHA1

                                01925ffbeed3e54e134e1fafaef8ff640dda9107

                                SHA256

                                8868e97e8dfbc08e681ab68b6b5b1a756cd352354d8ed6c5ce1cb6dee07e55f1

                                SHA512

                                9c32faff9e7d4b0c82b92ea87c03cff3bd1548ea07728bb7c1fda828db6be857f4101c94e6cffd70f16e2d4fef93c641f4a7edb8cc62c1edda23b54218affd73

                              • C:\Users\Admin\AppData\Local\Temp\regset.ini

                                Filesize

                                118B

                                MD5

                                b141c6974c48fadca812a060e03f8200

                                SHA1

                                bfc010eeda61bd2bd6d3b7963570cbc7d7539037

                                SHA256

                                68a17dd52a94c7807e46ec191f4481f330eba25303daba341316ac389c17282e

                                SHA512

                                353288737aca756f1e78b7143711a87917509a3290bf62c789e4de03275b4684eff9027d5d668996b7bc47e3ae7d4f2fc85c523a16795b90a94a9f5d6ed8f138

                              • C:\Users\Admin\AppData\Local\Temp\regset.ini

                                Filesize

                                79B

                                MD5

                                2c545704057f619fa7fb3f994862f181

                                SHA1

                                b820cf6d3e8cbc30ef87632370ed60ef4a5f0bbd

                                SHA256

                                0a31ed19b74d461d0819477eb328af5f8ef3508974df347cf4304fa62977d1a0

                                SHA512

                                5875c2626b6172d6059faa391efb4bfcd9c6c35ec15aa002becff0cef7f05b928f9690ed8edd19f790e056d8d19a3f5c7a5402213ae649577202a7f025388a84

                              • C:\Windows\web\sms.exe

                                Filesize

                                775KB

                                MD5

                                628ca25523c98eb00cee7503787f78ee

                                SHA1

                                7b1c2393002e35ea36f4e20c5d6dd87d14542408

                                SHA256

                                6f01b51d56b152362ad864e5c4e3f8979aa60c565021e0eff2b34fba422d4870

                                SHA512

                                07eca622f5d10b2d5892417dc872ecce2d1b0b8e6a1c6916186770c685038e8cdf4ebc01c50fd6ad47e981f8b7a7c9bdc05e1e71fbba54cab1d5b34cb8edc639

                              • memory/2568-0-0x0000000000B40000-0x0000000000C99000-memory.dmp

                                Filesize

                                1.3MB

                              • memory/2568-1-0x0000000000B40000-0x0000000000C99000-memory.dmp

                                Filesize

                                1.3MB

                              • memory/2568-31-0x0000000000B40000-0x0000000000C99000-memory.dmp

                                Filesize

                                1.3MB