e7d39e44de74e8274fa212e6682eed4ba1a581f2a1e6a38c092b5679c1e4adc9

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cf94826c03183114d1f85a4feccd441.exe
Size

1.3MB
MD5

2cf94826c03183114d1f85a4feccd441
SHA1

39b6a2693ee422b54b834e990f48d98860e3d8b1
SHA256

e7d39e44de74e8274fa212e6682eed4ba1a581f2a1e6a38c092b5679c1e4adc9
SHA512

5cf8eded1ca335621c4d818bc82904e24fae04da4ba430282660776615c718f9254e014441655f41855afbf97a5de44077a6807b7a8ed7a7eedb3e8c6679cde2
SSDEEP

24576:y2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbged+t/sBlDqgZQd6XKtiMJYiPUR:yPtjtQiIhUyQd1SkFdU/snji6attJM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
3656	alg.exe
2800	DiagnosticsHub.StandardCollector.Service.exe
1948	fxssvc.exe
1704	elevation_service.exe
4832	elevation_service.exe
3332	maintenanceservice.exe
4640	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2cf94826c03183114d1f85a4feccd441.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2cf94826c03183114d1f85a4feccd441.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2cf94826c03183114d1f85a4feccd441.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2cf94826c03183114d1f85a4feccd441.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2cf94826c03183114d1f85a4feccd441.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c87feecb3e2edcd.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1972	2cf94826c03183114d1f85a4feccd441.exe
Token: SeAuditPrivilege	1948	fxssvc.exe
Token: SeDebugPrivilege	3656	alg.exe
Token: SeDebugPrivilege	3656	alg.exe
Token: SeDebugPrivilege	3656	alg.exe

C:\Users\Admin\AppData\Local\Temp\2cf94826c03183114d1f85a4feccd441.exe
"C:\Users\Admin\AppData\Local\Temp\2cf94826c03183114d1f85a4feccd441.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3640

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
25182d688958109155470697ecd23bf8

SHA1
183a7eaea062aa9e9669cde6a97fae486f38c39e

SHA256
6aa8658ea24adc2462fcb6d3c999e00c93d4f240553670387eeb38789ca81e47

SHA512
49edca818d20081cf15f5a71cc5e669d694524d0f5f73c151239132def2a54725474ab60c1d1abd65a6e9b5be03980187826ff22a37c7fda3b85711a7224b358

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
0dc3b0367de469c477e19588ebef0e23

SHA1
45588bc4e954cdc3e43f7e45c10a4eccc070c6bf

SHA256
d630d2f8343d43607c0803c7c0d0179df6f679810f74f64b9dda5305aea318d4

SHA512
7f81a8bec5105121f42cadd4eea2d51a2777cfd2d100779a2899120a465ed983de07d47a8f000437161a3780d9341f3e3d2fd66cc2df75f45e0a10948304bd9e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
cff47c9a10dc15ccd37b01df303c6779

SHA1
40ebfbfa217d8569497215c69cd6ff02a00ad35f

SHA256
5185e0513e89cb76d68213afe3d691b614f9263115b17b8849e140a04b86d867

SHA512
4d1f6bab4201314aed67ca123f895b6bb7b08c3ee052151511f74f2bc04663d6b5e6ca400c752aa03115b607b65394aa819a51a01d67f716e50962c7b1440bf2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f94b53de3b2998ea4c16bbdc95721b91

SHA1
4cfc324dc4a35f95757e69541bbcd74c529b2887

SHA256
7e42266a759602e6df4bad4cd56c40a0654c6e93eb93098d6a30e43269388066

SHA512
e6be9ec7b86628a6cdf4765cdeabf47d0fa71743339e34f2f1e155c2b7cb0717c2e6b5ce9a8ed58d402d16f0ab37b3a81cb62fa478bc794bdf91ca4b2d6b0252

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
39f2ca6441b2bfb79e796b036712ff10

SHA1
0772b084d80d790cfe9c7bb431034b2f1e6182e9

SHA256
6f397cf65e0dcfc0a97d0d1108648f45497d1e0d0360474344e5688cab14e1d1

SHA512
867e60a2d4dde9c0660307bf823db1fb0c859d740188c9d32f0ca773afa31325470f80481d659196022f5d41de6abe533e6ebd58428fc00898d6f4e93970e39d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
cd7693d849561cc5e37076c1dea825c9

SHA1
ec1102ac181e11fb593a4892e0db751925adfd6b

SHA256
ee30a0349923b54489c4aa91a8ac44839a48fd8742c674d7a7229a5402f81e59

SHA512
78bb9cd3ba26f293305567bf9631747c5bfd5bff4a66d23ac0b23363b2f927993bc4984730d4940f2d0929ba935bbb816b63bbde40d75e7a091fafeb1bbd5f28

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
955f24dd12ae94bdee119adf82831568

SHA1
afb0a48b4c6347f605821ecd1ec5e9242809ed32

SHA256
d8409db6334fabd75f85e801f08bc2b9b0e320decd021998779c0b0b9c826910

SHA512
ee1c2af29ec129e8401c4fda8f909de3cde67174ddf2c5f09c1856a0055313ac8295d738acee593f572b66b362e53d2032ebfa762221ba2e6a29cc8d96077703

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
ae4e62e35e2ae9a1182161316b1f422b

SHA1
9a429b2f1f481023e9c65dff6a1a18b27adfe87b

SHA256
84cb1a667327c8e4f5cb5456ffd942b738d8ecd1d994892e7fbb6bc6498ded02

SHA512
4c1e181ea78481d51c405c1ff80c6ba2cccd35f278a6e834c82851e534298b9b164df2614649644f5f62ac1b61e062264e03518534c5709b6f3ce58110594f23

Download Submit
memory/1704-225-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1704-49-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1704-55-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1704-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1948-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1948-58-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1948-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1948-66-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1948-64-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1972-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1972-44-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1972-7-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/1972-6-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/1972-1-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/2800-26-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2800-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2800-195-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2800-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3332-87-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3332-92-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3332-94-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3332-82-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3332-89-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3656-169-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3656-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3656-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3656-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3656-12-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4640-97-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4640-98-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4640-230-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4832-77-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4832-79-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4832-71-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4832-227-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download