Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 15:34
Behavioral task
behavioral1
Sample
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
Resource
win7-20240221-en
General
-
Target
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
-
Size
146KB
-
MD5
0f9efaba9a13338ad97e0e6ef2aabd6d
-
SHA1
97db912c8f0055152837e424cd8764f905a29930
-
SHA256
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0
-
SHA512
c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a
-
SSDEEP
3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
2C9C.tmppid Process 2084 2C9C.tmp -
Executes dropped EXE 1 IoCs
Processes:
2C9C.tmppid Process 2084 2C9C.tmp -
Loads dropped DLL 1 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exepid Process 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe2C9C.tmppid Process 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2084 2C9C.tmp -
Modifies registry class 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon\ = "C:\\ProgramData\\hokwnrPwS.ico" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS\ = "hokwnrPwS" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exepid Process 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
2C9C.tmppid Process 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp 2084 2C9C.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 36 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeImpersonatePrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncBasePriorityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncreaseQuotaPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 33 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeManageVolumePrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeProfSingleProcessPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeRestorePrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSystemProfilePrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeTakeOwnershipPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeShutdownPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe2C9C.tmpdescription pid Process procid_target PID 1796 wrote to memory of 2084 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 1796 wrote to memory of 2084 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 1796 wrote to memory of 2084 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 1796 wrote to memory of 2084 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 1796 wrote to memory of 2084 1796 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 30 PID 2084 wrote to memory of 2428 2084 2C9C.tmp 31 PID 2084 wrote to memory of 2428 2084 2C9C.tmp 31 PID 2084 wrote to memory of 2428 2084 2C9C.tmp 31 PID 2084 wrote to memory of 2428 2084 2C9C.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\ProgramData\2C9C.tmp"C:\ProgramData\2C9C.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2C9C.tmp >> NUL3⤵PID:2428
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52c543c31c49a9729eab855f563d00d3e
SHA1c9dff9133153570b2a34854d85a1e7354a72aea0
SHA256f54e8239f2b1c33c066d33231ad5d3bad062ee09e04b416a0c956f3b41c2a9df
SHA5120b2c5e7f78c0de4076caec0d2ae5cb358d62a0c0d69b3d81afd05d2b6aeca379528a820d975a83babe3364dddfe472ad37210d8385b596239f85f415e5861a11
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize146KB
MD5e8e83bfdc34011670c58d2ae57bacdd4
SHA19b3a44491f50d30d771b55e1fbb26c2b729713ae
SHA2561a47aa6cc69455881422612f19df987cbcea16e1fd11b4988aa866c4518a3adf
SHA512b4209de9b1a0a7d0adfbed1357882a511160336c5e14f848ff17cce2e9406d48d5fd30d81d229182d7c1bf4574039da93c1fdce38992897459367c252ecbf406
-
Filesize
865B
MD580ce254bf1170938cb7d41f5a98bf0ad
SHA1f8eb2e6395f16c206d32d5fefccd4f7419324bc9
SHA25636b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea
SHA512d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7
-
Filesize
129B
MD55ac7801eb594d92f826149ffc55b0f7a
SHA1c5808d72935df458636229fbd2e688633e00eeb1
SHA256a24effc0214f4c16b04e9229a66cf4ec3ddca3b6bb86967b33c15b09a14502e7
SHA512e2897f4eb5d3a0e83fd0fc3ed6890a12ac8f8ecddf91bb52fd35708620a9b82e6847b9dc23a2fc552253596df7bec3a61b17bddb7a1c68ccf01e84eb1f9a0093
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf