Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 02:19
Behavioral task
behavioral1
Sample
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
Resource
win7-20240221-en
General
-
Target
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
-
Size
146KB
-
MD5
0f9efaba9a13338ad97e0e6ef2aabd6d
-
SHA1
97db912c8f0055152837e424cd8764f905a29930
-
SHA256
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0
-
SHA512
c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a
-
SSDEEP
3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
CD9B.tmppid Process 2872 CD9B.tmp -
Executes dropped EXE 1 IoCs
Processes:
CD9B.tmppid Process 2872 CD9B.tmp -
Loads dropped DLL 1 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exepid Process 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exeCD9B.tmppid Process 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2872 CD9B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS\ = "hokwnrPwS" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon\ = "C:\\ProgramData\\hokwnrPwS.ico" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exepid Process 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
CD9B.tmppid Process 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp 2872 CD9B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 36 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeImpersonatePrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncBasePriorityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncreaseQuotaPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 33 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeManageVolumePrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeProfSingleProcessPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeRestorePrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSystemProfilePrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeTakeOwnershipPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeShutdownPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exeCD9B.tmpdescription pid Process procid_target PID 3048 wrote to memory of 2872 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 3048 wrote to memory of 2872 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 3048 wrote to memory of 2872 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 3048 wrote to memory of 2872 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 3048 wrote to memory of 2872 3048 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 2872 wrote to memory of 992 2872 CD9B.tmp 31 PID 2872 wrote to memory of 992 2872 CD9B.tmp 31 PID 2872 wrote to memory of 992 2872 CD9B.tmp 31 PID 2872 wrote to memory of 992 2872 CD9B.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\ProgramData\CD9B.tmp"C:\ProgramData\CD9B.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CD9B.tmp >> NUL3⤵PID:992
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD58ee52e1639d4f491ec5c7a8050897b79
SHA1026d7792cb1fe9f9bc2b8fa788849de1b30a5748
SHA256a2470ac37f59e17f6da4eccda54e19a4fbae60740c8b9c5d6b1eeadc50f73105
SHA51239c50ad603f1d81c1826df0bf109c44eac8333490772b67a33c17c93c72f7faead634d032bade4fd8d15de80d9238e2de25a60578dd96648195b1d111837aee1
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize146KB
MD5ec24d3a5562a45d1940f61176cbddb52
SHA1859a1d1dee80d45131de7e97ef2a56280a64696b
SHA2568fa04314faabf183b3bf27fb07278250b408bf08c81b3d14ef9ddfc51f6a98d4
SHA51270c17628a41ccc2342372a89ed80b57be91a65bb16089ce338e5e987ffa238f42fe20b66b355ec1051a717e7a2e2574c9a085e5191dc5a6c9d0a9b27bcf9c1ca
-
Filesize
865B
MD580ce254bf1170938cb7d41f5a98bf0ad
SHA1f8eb2e6395f16c206d32d5fefccd4f7419324bc9
SHA25636b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea
SHA512d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7
-
Filesize
129B
MD5bf50caad6101b0ce2fe6b1883eb1c2d8
SHA117b6d764c5ec6d3b2502bb4bfc4f852c5c3a02e4
SHA2567dbf0905c48c404d6009918a85fdfba7a46de367408709297e25140feba91a1b
SHA512834289b5a69c5cc8aa295bd738de8d2c4484139d6029bba548c8b1b6b7b90d85af56c818eb12df3ebddd2f61bbbd9eaa87bd81d530866797fa3493d2874a4f02