b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

2.0MB
MD5

c7e9746b1b039b8bd1106bca3038c38f
SHA1

cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256

b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512

cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
SSDEEP

49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan"	[email protected]

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\A:	[email protected]
File opened (read-only)	\??\B:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\X:	[email protected]

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnVi\splash.mp3	[email protected]
File created	C:\Program Files (x86)\AnVi\virus.mp3	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes"	[email protected]

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2236	[email protected]

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1236	mofcomp.exe
Token: 33	2600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2600	AUDIODG.EXE
Token: 33	2600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2600	AUDIODG.EXE
Token: 33	2236	[email protected]
Token: SeIncBasePriorityPrivilege	2236	[email protected]

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]
2236	[email protected]

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1608	2236	[email protected]	31
PID 2236 wrote to memory of 1608	2236	[email protected]	31
PID 2236 wrote to memory of 1608	2236	[email protected]	31
PID 2236 wrote to memory of 1608	2236	[email protected]	31
PID 2236 wrote to memory of 1668	2236	[email protected]	32
PID 2236 wrote to memory of 1668	2236	[email protected]	32
PID 2236 wrote to memory of 1668	2236	[email protected]	32
PID 2236 wrote to memory of 1668	2236	[email protected]	32
PID 2236 wrote to memory of 1320	2236	[email protected]	34
PID 2236 wrote to memory of 1320	2236	[email protected]	34
PID 2236 wrote to memory of 1320	2236	[email protected]	34
PID 2236 wrote to memory of 1320	2236	[email protected]	34
PID 2236 wrote to memory of 1272	2236	[email protected]	36
PID 2236 wrote to memory of 1272	2236	[email protected]	36
PID 2236 wrote to memory of 1272	2236	[email protected]	36
PID 2236 wrote to memory of 1272	2236	[email protected]	36
PID 2236 wrote to memory of 1236	2236	[email protected]	39
PID 2236 wrote to memory of 1236	2236	[email protected]	39
PID 2236 wrote to memory of 1236	2236	[email protected]	39
PID 2236 wrote to memory of 1236	2236	[email protected]	39
PID 1272 wrote to memory of 2028	1272	net.exe	41
PID 1272 wrote to memory of 2028	1272	net.exe	41
PID 1272 wrote to memory of 2028	1272	net.exe	41
PID 1272 wrote to memory of 2028	1272	net.exe	41
PID 1668 wrote to memory of 2020	1668	net.exe	42
PID 1668 wrote to memory of 2020	1668	net.exe	42
PID 1668 wrote to memory of 2020	1668	net.exe	42
PID 1668 wrote to memory of 2020	1668	net.exe	42
PID 1320 wrote to memory of 2012	1320	net.exe	43
PID 1320 wrote to memory of 2012	1320	net.exe	43
PID 1320 wrote to memory of 2012	1320	net.exe	43
PID 1320 wrote to memory of 2012	1320	net.exe	43
PID 1608 wrote to memory of 2008	1608	net.exe	44
PID 1608 wrote to memory of 2008	1608	net.exe	44
PID 1608 wrote to memory of 2008	1608	net.exe	44
PID 1608 wrote to memory of 2008	1608	net.exe	44

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\net.exe
  net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc
    3⤵
    PID:2008
- C:\Windows\SysWOW64\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2020
- C:\Windows\SysWOW64\net.exe
  net start winmgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start winmgmt
    3⤵
    PID:2012
- C:\Windows\SysWOW64\net.exe
  net start wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start wscsvc
    3⤵
    PID:2028
- C:\Windows\SysWOW64\Wbem\mofcomp.exe
  mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x474
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\buy[1].htm

Filesize
985B

MD5
69d2d338a7178b991a67134e1e72eaa6

SHA1
20dd78f63cbd873e15087a8d3d9048639f883dac

SHA256
921beaa969e6a74ef33305deaf7b5925acd1d2ff5091266f693bfbaa15cad5da

SHA512
1b7c0d6fba37ed5af0a604329b3f8d113a92c683662974f1940aa1fdf6b3f064673895b754730237c959dda884f6b7fa508b66ef97011ed97c0bce5b5fb99f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

Filesize
443B

MD5
7fad92afda308dca8acfc6ff45c80c24

SHA1
a7fa35e7f90f772fc943c2e940737a48b654c295

SHA256
76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f

SHA512
49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea

Download Submit
memory/2236-16-0x00000000708A0000-0x0000000070BB2000-memory.dmp

Filesize
3.1MB

Download
memory/2236-17-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/2236-19-0x00000000708A0000-0x0000000070BB2000-memory.dmp

Filesize
3.1MB

Download