Overview

overview

10

Static

static

1

1234.exe

windows7-x64

10

1234.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1234.exe

  • Size

    597KB

  • MD5

    972bda48546cecc13e31bfc3d445e9f7

  • SHA1

    ef6e53d3b99c942df9c4751d93564d84b42748fc

  • SHA256

    45833dc7730d4f37357a4149eeb5cf1389c0a87df7ac5a5e52ad5a3ee845357a

  • SHA512

    2370ea4bd99f75f25cbfdd45fddaec5e2865dfae484e7fa014cc6b1a9a5f08afdfc48e29895463607a449f03c0615838d360c5652f7dab6b03ee2ac450434826

  • SSDEEP

    12288:4IRx6tD2PVle8zpYAgzvbiKoW+dDwm5sY:3RktDLAgT2KoVd0ZY

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 13 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1234.exe
    "C:\Users\Admin\AppData\Local\Temp\1234.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2572
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2528
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:1708
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2236
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2200
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:480
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:1304
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2928
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1952
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2092
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2488
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2408
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
      2⤵
        PID:1504
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:2648
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        2⤵
          PID:1452
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:284
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "AssemblyBroker" & exit
          2⤵
            PID:2452
            • C:\Windows\system32\schtasks.exe
              schtASks /deLeTe /F /Tn "AssemblyBroker"
              3⤵
                PID:2980
            • C:\Windows\system32\CMD.exe
              "CMD" /C taskkill /im explorer.exe /f
              2⤵
                PID:2832
                • C:\Windows\system32\taskkill.exe
                  taskkill /im explorer.exe /f
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2200
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Svchost" & exit
                2⤵
                  PID:1624
                  • C:\Windows\system32\schtasks.exe
                    schtASks /deLeTe /F /Tn "Svchost"
                    3⤵
                      PID:604
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD5A7.tmp.bat""
                    2⤵
                      PID:560
                      • C:\Windows\system32\timeout.exe
                        timeout 5
                        3⤵
                        • Delays execution with timeout.exe
                        PID:1648
                      • C:\Windows\explorer.exe
                        explorer.exe
                        3⤵
                        • Modifies Installed Components in the registry
                        • Modifies registry class
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:480
                      • C:\Windows\system32\taskkill.exe
                        taskkill /im DogDAppxLogso.exe /f
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1432
                  • C:\Windows\system32\wbem\WmiApSrv.exe
                    C:\Windows\system32\wbem\WmiApSrv.exe
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1548

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmpD5A7.tmp.bat
                    Filesize

                    242B

                    MD5

                    5ada4d41bcda9649c8b917d3b512cb8e

                    SHA1

                    e4a5186e9970370683eb1892336a568ba35845b1

                    SHA256

                    ab796f3e206bc5996a16290b3d6d3c7387a88c72a2deef1a7baf515cfaa00049

                    SHA512

                    cba39bf2f52e3a294be7f481cfbb7e10b3562c597a8d7aa9221f495812fc170f903fcd88de6c3862f501ee26af231b862e396fae2f446ff1185aa01db2941cea

                    Download Submit

                  • C:\Windows\xdwd.dll
                    Filesize

                    136KB

                    MD5

                    16e5a492c9c6ae34c59683be9c51fa31

                    SHA1

                    97031b41f5c56f371c28ae0d62a2df7d585adaba

                    SHA256

                    35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                    SHA512

                    20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                    Download Submit

                  • memory/284-352-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/480-128-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1304-127-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1452-353-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1504-321-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1548-74-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1664-224-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1708-53-0x000007FEF6580000-0x000007FEF65A2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1788-194-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/1952-191-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2092-223-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2200-95-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2236-60-0x000007FEF6550000-0x000007FEF6572000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2256-1-0x0000000000320000-0x00000000003BA000-memory.dmp

                    Filesize

                    616KB

                    Download

                  • memory/2256-393-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2256-76-0x0000000000870000-0x000000000087C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/2256-75-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2256-237-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2256-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2256-54-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2408-288-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2468-289-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2488-256-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2648-320-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2696-61-0x000007FEF6550000-0x000007FEF6572000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2928-159-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2980-96-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/3044-257-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/3056-160-0x000007FEF02C0000-0x000007FEF02E2000-memory.dmp

                    Filesize

                    136KB

                    Download