Resubmissions

30/07/2024, 06:44

240730-hhpnyayhrd 10

27/05/2024, 14:12

240527-rh1wmsgc52 10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 14:12

General

  • Target

    7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe

  • Size

    2.0MB

  • MD5

    20d1a291ba22e0d37ba1c9ef7c4f2a8e

  • SHA1

    977deb9b18a8599aac68cfd86fd95219a54fc8c4

  • SHA256

    7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a

  • SHA512

    662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42

  • SSDEEP

    24576:2y2KxiKAGfq78Qh7zCIU1D6hynUlAqFzATZAguEkVm2nc6DKcPGsiSbBydwBFrUm:2K1WlU1D6hk8RFzAZ5+m21Kc+sPbVT

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 10 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe
    "C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxgxxmbu\bxgxxmbu.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES251D.tmp" "c:\Windows\System32\CSCC5A5918A6661467091E1B034B188881D.TMP"
        3⤵
          PID:2592
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2jOVRNz9g.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:2764
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:2756
            • C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
              "C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:808
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\fr-FR\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\fr-FR\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2808
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1520

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\Microsoft Office\Office14\1033\explorer.exe

                Filesize

                2.0MB

                MD5

                20d1a291ba22e0d37ba1c9ef7c4f2a8e

                SHA1

                977deb9b18a8599aac68cfd86fd95219a54fc8c4

                SHA256

                7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a

                SHA512

                662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42

              • C:\Users\Admin\AppData\Local\Temp\RES251D.tmp

                Filesize

                1KB

                MD5

                3a156091a0ffc2281285ccdc06bbcf34

                SHA1

                a209b338825a99ea460cb45837181081f7242351

                SHA256

                8d9db717316096aaa67a834ebcf54c69f3a271252e1b884dd4fb68ccdac2aa81

                SHA512

                9e340653996193ca0356bbec25200a16aede5660c2f49f5fa1ea76394772bf200c0004d46838393fa013d42e5e39db7af805480030f96f7182920f720ce1155a

              • C:\Users\Admin\AppData\Local\Temp\S2jOVRNz9g.bat

                Filesize

                233B

                MD5

                baf407747e823a53d559b9615e73593d

                SHA1

                c497fd07b8b613d7b94d9332dc8c4169b617a095

                SHA256

                c25bf4efe912930e004c0d0fa4bef9b81bb5627efdf23b30a6c33a066c9dec94

                SHA512

                9c1c4dd5967411e6f3b111d65bc889675c40c9b6c26f71eaea2570008988e8876a84fb1f78285d5baec3b881a2f15289a63cc8dd6e77c96ed0608764d0ff1750

              • \??\c:\Users\Admin\AppData\Local\Temp\bxgxxmbu\bxgxxmbu.0.cs

                Filesize

                367B

                MD5

                b9f4990c2e8d3609b2f2df9ff81d7b09

                SHA1

                d83a54fe9369e4057b15907bf0ca60d4079807b9

                SHA256

                2011d42e0eedfd93cbb929fc221231e63620df7de1c77367d1d751fa640daac2

                SHA512

                93915f49e17dc1f5f66c9ecb485846b61ab14cefc279d1540117c5dbe503a55923d78fcc003b5779bc79f5559b5138bf1fa5de9fe5f31b485660092257904cf8

              • \??\c:\Users\Admin\AppData\Local\Temp\bxgxxmbu\bxgxxmbu.cmdline

                Filesize

                235B

                MD5

                c6b800b26f107488b8d146acb065fb19

                SHA1

                d51c40e021dc035487da89306745f764c85d2839

                SHA256

                55283da17fde8558e5e45a4703a336e3b56b6a1b471cd1105f00fcfb204d849e

                SHA512

                f583dc41239f6a5aad2630cc9ab3295a343d2a977bf6f3c528d54a0baf990d8e4ee839de617b68268a265ac428f63e0b8b57843303d3dd9fcbe37e423afd14e6

              • \??\c:\Windows\System32\CSCC5A5918A6661467091E1B034B188881D.TMP

                Filesize

                1KB

                MD5

                707f3ae17d1443518c14e3d57f6b0fa5

                SHA1

                78ac15700b932222fa2ce60142966a1716c90838

                SHA256

                1fafc870513c7e90d1f2569dd473478821fb4798e8eb51e1f8a1620b3bf29aea

                SHA512

                ac3805f209da253c7eb6758d472a7c6a084392594a4dd7389dc926181933f9333fa0a74d7f749bc7ecb0b901afa5cad91d64d62989122acd3f4b583c3a4e2c9f

              • memory/808-57-0x00000000013C0000-0x00000000015CA000-memory.dmp

                Filesize

                2.0MB

              • memory/1244-19-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-13-0x0000000000320000-0x000000000032E000-memory.dmp

                Filesize

                56KB

              • memory/1244-22-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-21-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-20-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-0-0x000007FEF6093000-0x000007FEF6094000-memory.dmp

                Filesize

                4KB

              • memory/1244-18-0x00000000003A0000-0x00000000003B2000-memory.dmp

                Filesize

                72KB

              • memory/1244-16-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-15-0x0000000000330000-0x000000000033C000-memory.dmp

                Filesize

                48KB

              • memory/1244-10-0x0000000000360000-0x0000000000378000-memory.dmp

                Filesize

                96KB

              • memory/1244-24-0x0000000000380000-0x000000000038E000-memory.dmp

                Filesize

                56KB

              • memory/1244-26-0x0000000000390000-0x000000000039C000-memory.dmp

                Filesize

                48KB

              • memory/1244-11-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-8-0x0000000000340000-0x000000000035C000-memory.dmp

                Filesize

                112KB

              • memory/1244-6-0x0000000000310000-0x000000000031E000-memory.dmp

                Filesize

                56KB

              • memory/1244-4-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-3-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-53-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-2-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

                Filesize

                9.9MB

              • memory/1244-1-0x0000000001110000-0x000000000131A000-memory.dmp

                Filesize

                2.0MB