Overview

overview

10

Static

static

3

10092d3106...98.exe

windows7-x64

10

10092d3106...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06-07-2024 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10092d3106ee645c3b2d9d18b6198298.exe

  • Size

    3.4MB

  • MD5

    10092d3106ee645c3b2d9d18b6198298

  • SHA1

    5c8a5432e12df1ecdb33499e0c142a6ba37165f0

  • SHA256

    b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a

  • SHA512

    82e71b255671e08199986101747092359a2be592344058e4ddc264b6f65d2033fa41051e7a7b853df78cc27aaaba4da6080b1f3bac67cb563fb550d7f0aacb98

  • SSDEEP

    49152:IBJTrDS1bJ+05CiD5LIYUcfjEGJT8TpIfYttDqrWEn5PjfHyejpdQ8y7uBxbPEKF:y9rGrXZTjupIf2ODxzSeFP64EKIjFZE/

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\10092d3106ee645c3b2d9d18b6198298.exe
    "C:\Users\Admin\AppData\Local\Temp\10092d3106ee645c3b2d9d18b6198298.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRAR\zAABOcyJ2bBgkpH6Xhk3lnmdvCX3caSCc9GQdkeF.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\WinRAR\Teg6emHMlLt57vxkHLDGu6vtBrgy1f5AzyvH4iCxDeNGgB7UyEG1SG.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe
          "C:\Users\Admin\AppData\Roaming\WinRAR/HyperServerFont.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xepi0xql\xepi0xql.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2852
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE531.tmp" "c:\Windows\System32\CSC8B561873344249A4B84B6B73535D66C.TMP"
              6⤵
                PID:1248
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WNePB0Q2Xd.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3036
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:280
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:904
                • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\HyperServerFont.exe
                  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\HyperServerFont.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\HyperServerFont.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFont" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\HyperServerFont.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\HyperServerFont.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2856
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2156
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2460
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFont" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1084

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESE531.tmp
        Filesize

        1KB

        MD5

        626231ddd72aa8319779bb4762c7f973

        SHA1

        17f44e294d65b257dffafcd9c0eb88516c1b680d

        SHA256

        4011e85ff6e35b6829abcc62a50cd828f0e0e910a7d5715d612cbed17e6e4f7e

        SHA512

        02c1aab5e3c0cc2d2a2be650bda2afec1457719e0eed77775d2fb43b41984af76395295ea92e8f8f7a3c30a3d738b75a3faabc84b11f874574224b405672de9d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\WNePB0Q2Xd.bat
        Filesize

        210B

        MD5

        42e0f54cf2fe33d272efcf6034ba6662

        SHA1

        f7ec141223c026aa7ba4e752994fe7db35334b3e

        SHA256

        08134e85ed9bb5ce652c571bd1622e55cd2e915f5643cfa6ff63d7a9ac52f1f7

        SHA512

        fdcaf47883fae14dac37dc962dae12de957fc32318ab072ef895caec0e201a18097e2514d97955b247c38feb7c04ae3a857b01080f4c8c92891b72f10fac6700

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WinRAR\Teg6emHMlLt57vxkHLDGu6vtBrgy1f5AzyvH4iCxDeNGgB7UyEG1SG.bat
        Filesize

        85B

        MD5

        6fb0cede604bc60a8b56d06517fc275b

        SHA1

        2ff60f4528e919d7c8856a96d8ab2ecf8adec2d1

        SHA256

        6e320f0bbc930d2f1106e791a79547b0b14507ccefd9154571a4a4d4c2105c80

        SHA512

        d54e559522844b79e7c396d2eaffcdb093c71779c248fc2637fa067ce21149b0f3d4a2d1ad2295d6c685f9e280be86b931c95efe0cf9b84a942c33f126885d25

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WinRAR\zAABOcyJ2bBgkpH6Xhk3lnmdvCX3caSCc9GQdkeF.vbe
        Filesize

        245B

        MD5

        11d88d852b26c866aa883701afb373ec

        SHA1

        a88acf9a42805f23575bf4bfc518d8ae6db11a36

        SHA256

        c2d4bc12a60d049699f9693568a1a14d3849257966470b28978d9922ff17b12a

        SHA512

        2851d70cb66c93b87fa35ee9684d66ec884acaa12ddde5b38cad802e623b02b6cf49fc9ab18876c4885615a9915f47fbce64de6ab75d0f7be3b7dea8ca217283

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xepi0xql\xepi0xql.0.cs
        Filesize

        414B

        MD5

        9c9cff07bb23de14bfbbaac7e575b3ee

        SHA1

        4befbaf8970c0a754620c96d603e6a31a34fb720

        SHA256

        d4beb8e42dfc25a357124aeb8ddbbd63db8d8e529f0f909a9863dbaa9f416c5c

        SHA512

        1ceef265452bafe748c1213122e18b4fe013fe3f614b8bf51f69c679ca6c3218508b004dc430e9ae73a4b26ae57bf1b50bc2e3403f3d0f49d69fcdce5fc0c88d

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\xepi0xql\xepi0xql.cmdline
        Filesize

        235B

        MD5

        8b737e5d579837e016d2b6fe3459eea7

        SHA1

        3a361b5d0313faec64fc33748f8924d3c46b241c

        SHA256

        9eb72032318db9cd09714d17bbdab5ef7f74f64a5d2277fb4985bb1c892dd2d4

        SHA512

        6641148097a86296a0ba4ecd376de74d2b1467b08e0cf90d1af47c63b30dd3ef2043a1ec1c6358b0bb6d262156dbfb3342b085cadf2fa450043d9ba82f99137c

        Download Submit

      • \??\c:\Windows\System32\CSC8B561873344249A4B84B6B73535D66C.TMP
        Filesize

        1KB

        MD5

        9f32e217907de2ff7b3c3ad4297589df

        SHA1

        67955dc01ed3a57d836a2b53f6c9314261c1ed0f

        SHA256

        397d3fe0bc8496bf85a8b939cc1690197583469b69db5ce21ab4c0f600b983ff

        SHA512

        144599e25851b4a6dd07b1019266a0259ef63a554a1c77c926075209811dd5df7cd0e3a79cb2c902ae7e8af5e061f28256dd6f026b09d9ce6d08b15c1e9cd73c

        Download Submit

      • \Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe
        Filesize

        3.5MB

        MD5

        e6096483a8f2600535d5c540898501ee

        SHA1

        988f6c02d6d8fc54ef7c74e2982b606229f084c9

        SHA256

        4abfb6c4719bf650b60ce4e9088ab59a24a33f06627a8a5cbddd4ed5ab59c14d

        SHA512

        9e682b3bd8984b8f72f129c1f79f6c53b38ee2291ebfaa892a40f282f0bba5e17bdf144fdbc10953f9e0c14b657febe3daa860ba871070f8d61e5282ddb3a90e

        Download Submit

      • memory/876-89-0x0000000000C80000-0x000000000100E000-memory.dmp

        Filesize

        3.6MB

        Download

      • memory/2820-39-0x0000000000B90000-0x0000000000B9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-47-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-29-0x0000000000B50000-0x0000000000B5E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-31-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2820-33-0x0000000000B80000-0x0000000000B90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2820-35-0x000000001A9F0000-0x000000001AA06000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2820-37-0x000000001AA10000-0x000000001AA22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2820-25-0x0000000000630000-0x0000000000640000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2820-41-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2820-43-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2820-45-0x000000001ABD0000-0x000000001AC2A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2820-27-0x0000000000B40000-0x0000000000B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2820-49-0x000000001AA30000-0x000000001AA40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2820-51-0x000000001AA40000-0x000000001AA4E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-53-0x000000001AB70000-0x000000001AB88000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2820-55-0x000000001AA50000-0x000000001AA5C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2820-57-0x000000001B400000-0x000000001B44E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2820-23-0x0000000000B60000-0x0000000000B78000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2820-21-0x0000000000620000-0x0000000000630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2820-19-0x0000000000B20000-0x0000000000B3C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2820-17-0x0000000000610000-0x000000000061E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2820-15-0x00000000006C0000-0x00000000006E6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2820-13-0x0000000000EE0000-0x000000000126E000-memory.dmp

        Filesize

        3.6MB

        Download