Overview

overview

10

Static

static

3

b1ab7ae369...6a.exe

windows7-x64

10

b1ab7ae369...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2024, 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a.exe

  • Size

    3.4MB

  • MD5

    10092d3106ee645c3b2d9d18b6198298

  • SHA1

    5c8a5432e12df1ecdb33499e0c142a6ba37165f0

  • SHA256

    b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a

  • SHA512

    82e71b255671e08199986101747092359a2be592344058e4ddc264b6f65d2033fa41051e7a7b853df78cc27aaaba4da6080b1f3bac67cb563fb550d7f0aacb98

  • SSDEEP

    49152:IBJTrDS1bJ+05CiD5LIYUcfjEGJT8TpIfYttDqrWEn5PjfHyejpdQ8y7uBxbPEKF:y9rGrXZTjupIf2ODxzSeFP64EKIjFZE/

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a.exe
    "C:\Users\Admin\AppData\Local\Temp\b1ab7ae36965a9b7bfe0f46123cabeee9260f0816b118cf102deb4480b63b86a.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRAR\zAABOcyJ2bBgkpH6Xhk3lnmdvCX3caSCc9GQdkeF.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRAR\Teg6emHMlLt57vxkHLDGu6vtBrgy1f5AzyvH4iCxDeNGgB7UyEG1SG.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe
          "C:\Users\Admin\AppData\Roaming\WinRAR/HyperServerFont.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31ol30cv\31ol30cv.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:220
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DE1.tmp" "c:\Windows\System32\CSC7D7B2E3F968745B68A64DE4AC1BC2723.TMP"
              6⤵
                PID:1476
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8q8wCj7Gzm.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1952
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4028
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:4728
                • C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe
                  "C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\security\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\security\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\SppExtComObj.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Favorites\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4860
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFont" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "HyperServerFontH" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3920

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\8q8wCj7Gzm.bat
        Filesize

        187B

        MD5

        696c74908e3c146178ae9ac9afd79640

        SHA1

        06db92bc13870196cb58a17fec919d5a64ec9c85

        SHA256

        dd58d0e30852b7feaf81a16c32324abf88488af01c0d875fbd85ec714583731e

        SHA512

        c0e1aead52b2906d57d4e41e9c1dbd521c658b99490b935fa5725c3b2fa6b8cc1217ec423d4cb4a6f257140d747a9f4d56ebc7cc248bc7387e9c38a1e1a866c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES2DE1.tmp
        Filesize

        1KB

        MD5

        8df631b9cc8d0103f0e63d144a0a83f8

        SHA1

        074aec0fd9ba2eff4a42c179d630c3625ebdce15

        SHA256

        1bb5dd8e063adaa2ef1d3b24f45a939a5df8d739f263410ed1ce17c269e573b0

        SHA512

        5dfe41f2225d608fb75673f39fd870b6373511dd7330a84fd9b9f37e60e080dd2f809581865b100699e6bf9b6c41a3dfd42827dea880f6a69115441055a43a8d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WinRAR\HyperServerFont.exe
        Filesize

        3.5MB

        MD5

        e6096483a8f2600535d5c540898501ee

        SHA1

        988f6c02d6d8fc54ef7c74e2982b606229f084c9

        SHA256

        4abfb6c4719bf650b60ce4e9088ab59a24a33f06627a8a5cbddd4ed5ab59c14d

        SHA512

        9e682b3bd8984b8f72f129c1f79f6c53b38ee2291ebfaa892a40f282f0bba5e17bdf144fdbc10953f9e0c14b657febe3daa860ba871070f8d61e5282ddb3a90e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WinRAR\Teg6emHMlLt57vxkHLDGu6vtBrgy1f5AzyvH4iCxDeNGgB7UyEG1SG.bat
        Filesize

        85B

        MD5

        6fb0cede604bc60a8b56d06517fc275b

        SHA1

        2ff60f4528e919d7c8856a96d8ab2ecf8adec2d1

        SHA256

        6e320f0bbc930d2f1106e791a79547b0b14507ccefd9154571a4a4d4c2105c80

        SHA512

        d54e559522844b79e7c396d2eaffcdb093c71779c248fc2637fa067ce21149b0f3d4a2d1ad2295d6c685f9e280be86b931c95efe0cf9b84a942c33f126885d25

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WinRAR\zAABOcyJ2bBgkpH6Xhk3lnmdvCX3caSCc9GQdkeF.vbe
        Filesize

        245B

        MD5

        11d88d852b26c866aa883701afb373ec

        SHA1

        a88acf9a42805f23575bf4bfc518d8ae6db11a36

        SHA256

        c2d4bc12a60d049699f9693568a1a14d3849257966470b28978d9922ff17b12a

        SHA512

        2851d70cb66c93b87fa35ee9684d66ec884acaa12ddde5b38cad802e623b02b6cf49fc9ab18876c4885615a9915f47fbce64de6ab75d0f7be3b7dea8ca217283

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\31ol30cv\31ol30cv.0.cs
        Filesize

        360B

        MD5

        c6d8da19c08273efa93b56ae1c5da84e

        SHA1

        137fa6f03ba30863c8742db1d19bde608f8bbdaf

        SHA256

        1f8dffdf027e3001864cbe7941266a2e4e58b1b15008fac4fd740422084dc503

        SHA512

        2fc26046b1c2e2d03aafe98156f175055e895cbfc198a2a96d79e71caf2360332d1c89f874214d81a113072737ca437d52295ade48dba0635e445539bc0aa03a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\31ol30cv\31ol30cv.cmdline
        Filesize

        235B

        MD5

        2fc1a9b1bb818e35ce4a5a086c8a7983

        SHA1

        3974841108e6cc93a8289f89cccfa386027b139a

        SHA256

        a40a50dc7aa7aa9824cea285b5686aafc91723a29ec45fe816d47db248138a26

        SHA512

        667154b5b9bb783ad6278b4ac720e9078132d76173945d36639e8f002f9f86ce9dfceb3f0fea7f23e2010be1b80702445a540944f56139ea1942c654c4cc1a2d

        Download Submit

      • \??\c:\Windows\System32\CSC7D7B2E3F968745B68A64DE4AC1BC2723.TMP
        Filesize

        1KB

        MD5

        0e3a860c4637ae1a42e589f2ba0d0851

        SHA1

        450889245cbb0c239fa7be7b7ecc29befee8b963

        SHA256

        08011eec6a7c02281e0011f4ca12358e145f80b7e0e20e73c4d24df979052eba

        SHA512

        5d848dc8b161bf731e7b51948ea9d4c856d7471ad1814e6e13bd7c867726367c4f741f1fe41d3d151b7784b0545821ae7b7db5d0dc043c8059232fd9703cf5a6

        Download Submit

      • memory/760-36-0x000000001B610000-0x000000001B626000-memory.dmp

        Filesize

        88KB

        Download

      • memory/760-45-0x000000001B650000-0x000000001B660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/760-24-0x000000001B140000-0x000000001B158000-memory.dmp

        Filesize

        96KB

        Download

      • memory/760-26-0x00000000026C0000-0x00000000026D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/760-28-0x0000000002700000-0x0000000002710000-memory.dmp

        Filesize

        64KB

        Download

      • memory/760-30-0x000000001B120000-0x000000001B12E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/760-32-0x000000001B1E0000-0x000000001B1F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/760-34-0x000000001B130000-0x000000001B140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/760-20-0x000000001B190000-0x000000001B1E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/760-38-0x000000001B630000-0x000000001B642000-memory.dmp

        Filesize

        72KB

        Download

      • memory/760-39-0x000000001BB80000-0x000000001C0A8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/760-41-0x000000001B160000-0x000000001B16E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/760-43-0x000000001B170000-0x000000001B180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/760-22-0x00000000026B0000-0x00000000026C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/760-47-0x000000001B6C0000-0x000000001B71A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/760-49-0x000000001B660000-0x000000001B66E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/760-51-0x000000001B670000-0x000000001B680000-memory.dmp

        Filesize

        64KB

        Download

      • memory/760-53-0x000000001B680000-0x000000001B68E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/760-55-0x000000001B920000-0x000000001B938000-memory.dmp

        Filesize

        96KB

        Download

      • memory/760-57-0x000000001B690000-0x000000001B69C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/760-59-0x000000001B990000-0x000000001B9DE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/760-19-0x00000000026E0000-0x00000000026FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/760-17-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/760-15-0x0000000002710000-0x0000000002736000-memory.dmp

        Filesize

        152KB

        Download

      • memory/760-13-0x0000000000110000-0x000000000049E000-memory.dmp

        Filesize

        3.6MB

        Download

      • memory/760-12-0x00007FFD67D13000-0x00007FFD67D15000-memory.dmp

        Filesize

        8KB

        Download