Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:17
Static task
static1
Behavioral task
behavioral1
Sample
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe
Resource
win10v2004-20240426-en
General
-
Target
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe
-
Size
25KB
-
MD5
dd3f2c3ee2a296547f6c7411bb562299
-
SHA1
404e2857fcd2b7e105c39f725298e35e3c8425f3
-
SHA256
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079
-
SHA512
f3518c6be30bfa0c2f3fcb91e4292335b3bc585f4e7bad8b32006b6115767bc92e9529c695a494d685187bf7732b1ec7618071568eeb4457082955f0d8be38cd
-
SSDEEP
384:ZQ6J1mIUcCgKY2mPNIrJwIhn7ytQtJUMTNOt894boE9K/mKHboIlY:ZQym55gKGPNSHftJDhEvKHbo9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
spoolsv.exepid process 2820 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exespoolsv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe" 94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe" spoolsv.exe -
Drops file in Windows directory 2 IoCs
Processes:
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exespoolsv.exedescription ioc process File created C:\Windows\spoolsv.exe 94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe File created C:\Windows\spoolsv.exe spoolsv.exe -
NTFS ADS 2 IoCs
Processes:
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exespoolsv.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\https:\www.google.com 94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\https:\www.google.com spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exespoolsv.exedescription pid process Token: SeDebugPrivilege 936 94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe Token: SeDebugPrivilege 2820 spoolsv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exedescription pid process target process PID 936 wrote to memory of 2820 936 94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe spoolsv.exe PID 936 wrote to memory of 2820 936 94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe spoolsv.exe PID 936 wrote to memory of 2820 936 94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe"C:\Users\Admin\AppData\Local\Temp\94b0daad5c1ec0220cdcd939c635b3576ac4d1736925fbae6363882a139a5079.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\spoolsv.exe"C:\Windows\spoolsv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
348KB
MD5c9c5d23bd34e287dbc61bc2410ecb5b8
SHA158fa56a94314116b308e7634999a09eca5668eda
SHA2566f5d19a0d2749344ad67da922ae17cc9e2a3fbb9bf4f402d9929625ff2cf810e
SHA512fe7d5a83d34ebcf202ca25723c4f0f231d5038831e5a6b70da1439e9042dae320330e7af49bb62240835f1f79bd2fb29f3ed45e67723a31a65bdc1b7b89fac98
-
C:\Users\Admin\AppData\Local\Temp\OlQfWp0LoZreQOR.exeFilesize
25KB
MD5aee80d51d927119157c97ed1a830ddcb
SHA1c06a34beeaf63f119d7561d5a29e20e0861e66f1
SHA256e8f22d262fc961a0b8206763e52da57d0a938716f6fb6c6dbcc5a35f8b21e7a2
SHA5127b4aaf88e9719f5f32682c0e83ba5d85e0db3b2bf5a9251f7a4b87063d05c6374ca3857445911351e09974dd696b3019ff5e8515bfcca2b3acb0e3d1ce7368f3
-
C:\Windows\spoolsv.exeFilesize
25KB
MD57a2c35cdb6fff964eee17f0057475e2f
SHA14252e05e7295f8335a1a21de1255727de12c3cfa
SHA256bdefea247921a91269fbfd1db990172c296db6e29fab4ed6e6378e85f3f49369
SHA512fc1442df06bb9c691bd14cfb057ed838afe2a1b7f1c00e01a60c6b0122d3f7451c80d6d8dee3fabd0594f9538f4c8a754886f7e3d7e9c0fbee991927c51d8b1a