933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034

Analysis

max time kernel
168s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe
Size

705KB
MD5

3a7e07aa1a6e8a80891e1f755b5b3373
SHA1

bef2045ff96fe059e39f1c9015d074a294f9b7af
SHA256

933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034
SHA512

0110fb9a0c1b9558fca50d3e583858654ea9de59a060883550281cbe445fea13af7fee7934563e815a7dc7487eb530eafe5385a74f8e86988c103cde124e63ad
SSDEEP

12288:fW9B+VWMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:fW9BUSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
5064	alg.exe
3768	DiagnosticsHub.StandardCollector.Service.exe
4620	elevation_service.exe
2868	elevation_service.exe
4244	maintenanceservice.exe
4884	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\32c7a841b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe
File opened for modification	C:\Windows\system32\dllhost.exe	933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\ConfirmTrace.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	368	933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe
Token: SeDebugPrivilege	5064	alg.exe
Token: SeDebugPrivilege	5064	alg.exe
Token: SeDebugPrivilege	5064	alg.exe

C:\Users\Admin\AppData\Local\Temp\933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe
"C:\Users\Admin\AppData\Local\Temp\933d31dcbd32a9a571efdd4e2138c717e79938438dc0a7e2ce1f4a6a09ccd034.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4244

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4180 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
1.1MB

MD5
7726a810c0029c3ecdb81ee745d03e00

SHA1
006566841fb1b3dd221d995e65b02c683ceb7844

SHA256
0782fcdaeb641f9fcb195814cd2a78ac2db997518b10678d6f916cffbb6b6841

SHA512
0e9c17c4fe55cbee86ca112568bb14552b31f3cfdd3477a2088408f59dd4372ff34edee8d046bf8f6c05a1c109024cd425691ba759cca7d68eb02637026ec99c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
521KB

MD5
65cdf15c89c77a936aec6591972e3779

SHA1
6480a062d99da75544f1c8db8db3f046fddb2b4f

SHA256
98065b186bc91e899574041915046962a7876db374e423e9daffcb5264ca267b

SHA512
9a23dd3532dc4b8547d5fa144b62c94334d0b84838e40551b9288fad002b2a86bfc0b40f8d2cb65caecacec00fd5aa30004704fbe1b22b50487a8f2acac05f25

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
107KB

MD5
bc736a812d6553cb4d3d8bb74c66868c

SHA1
64dc291f652d333cbd35b1b097bf5cde2ab21558

SHA256
5d362286a007645f5560b53c24b2503901150a99f7efa2a12baeada638e05aae

SHA512
6cddd77f4231f411937a058dc46dcf121cb67f50e9c9db0cbf57ada6763e54b30f8124c381eee3d3e04191d4c3c17e6ed4ddffbe9d202a7353b03d5c9ca5c90a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.2MB

MD5
be3e8140edf02c7961d9cac5876a1bba

SHA1
de30690a55576ee25c6af26b4ba388f840f1706f

SHA256
57457b83d887ab83b4663d6a389b7a68fc6c9d3a3a2a788ecb87c0ff86a056ba

SHA512
0b7f056a1f7a4f1a54f697225bb69ca74fce305df8fd2779fb80b0f2217c79a5ab7039af822cecf66eccb94aa2e797e9cd10de5dba6345e14a63f37d018dd9bc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
252KB

MD5
e5305e7894c578096d46444c48a13180

SHA1
55162ac7e1c0ecf334a1b2c3be5d180ab12beafa

SHA256
6507a79d2c24a67593b052ae1eae9c3dd77c875d38a005744bdd55dd9040cd80

SHA512
bc48de8eb940a6625efd2d7d4d1b9445e30750b6644a29cace25bc0af79d832540419f94490ebf94033b1508bb7145f60113133a53054f7f88b995e9860b61a2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6bf8abeff9c61a5820b4c7222bf0834e

SHA1
489abb26e17a9db014ce2f042fb598ab7d6947b1

SHA256
4d1512bc26194854ac1fd6d38c812e5b3e543512f68807b5fdbe40c3dee7f7e8

SHA512
732dfe9bdfaf5efd97d8e63b7b310254a76c04cb0bae66d49dd3fb068514d8ed768085306d96051eb7d6b18bee964b8213a195c44a528b446ab8ebb1ed828ef0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
180KB

MD5
3c8f1c2ae95187e888758467cfe50042

SHA1
07632b623232c7562a8d5c8150b67a4e961feb6f

SHA256
ba4255b7195f10cdc804d37e70aae2d47ff422cd605e56c48f34bc4f8b069c99

SHA512
fbdc38c1bb9cc7c44751adec87c53aaf2e6fbded0cd64321df9246879439ebf6af64a6a49e96af05af9fbfe35e8429198ea5790ae6295cb77cf3be2ba8bd67e6

Download Submit
memory/368-1-0x0000000002340000-0x00000000023A6000-memory.dmp

Filesize
408KB

Download
memory/368-6-0x0000000002340000-0x00000000023A6000-memory.dmp

Filesize
408KB

Download
memory/368-7-0x0000000002340000-0x00000000023A6000-memory.dmp

Filesize
408KB

Download
memory/368-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/368-40-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2868-130-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2868-61-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2868-56-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2868-54-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3768-37-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3768-36-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3768-30-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3768-29-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3768-97-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4244-73-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4244-66-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4244-65-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4244-78-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4244-76-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4620-106-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4620-42-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4620-43-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4620-50-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4884-162-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4884-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4884-82-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4884-90-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5064-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5064-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5064-81-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5064-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5064-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download