Overview

overview

10

Static

static

3

Expensive 3.1.exe

windows10-1703-x64

10

Expensive 3.1.exe

windows10-2004-x64

10

Expensive 3.1.exe

windows11-21h2-x64

10

Expensive 3.1.exe

android-10-x64

Expensive 3.1.exe

android-11-x64

Expensive 3.1.exe

android-13-x64

Expensive 3.1.exe

android-9-x86

Expensive 3.1.exe

macos-10.15-amd64

1

Expensive 3.1.exe

debian-12-armhf

Expensive 3.1.exe

debian-12-mipsel

Expensive 3.1.exe

debian-9-armhf

Expensive 3.1.exe

debian-9-mips

Expensive 3.1.exe

debian-9-mipsel

Expensive 3.1.exe

ubuntu-18.04-amd64

Expensive 3.1.exe

ubuntu-20.04-amd64

Expensive 3.1.exe

ubuntu-22.04-amd64

Expensive 3.1.exe

ubuntu-24.04-amd64

Analysis

  • max time kernel
    147s
  • max time network
    110s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/07/2024, 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Expensive 3.1.exe

  • Size

    343KB

  • MD5

    349469d67bda79cbde42c69d22500043

  • SHA1

    39d538c92e482ceddde34b111b8ee66acc2f0384

  • SHA256

    76567d6429bea0f062e44f8fad032a4f73816a91d1c7420b1d252547ee98046a

  • SHA512

    8492d61db9d0828e20102dfa71ae4235baa213f808139053918b5a324858a2291d9d4eacf263273c44067fff2133f9248ed8eeaf9dbbb60d733e521d0a01a9bc

  • SSDEEP

    6144:+XqQgll2xU4Lt0gCie6VlWT8b93nwZWrkqKQXnYbTY2At:IourPVle8Y3At

Score
10/10
credential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Discord" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1764
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2076
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdMicrosoft Project.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:492
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "Oracle VirtualBox" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdMicrosoft Project.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3744
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:972
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1988
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5080
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3536
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3952
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3496
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft SQL Server Management Studio.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1012
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Discord" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Windows\system32\schtasks.exe
        schtASks /deLeTe /F /Tn "Discord"
        3⤵
          PID:3304
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /C taskkill /im explorer.exe /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Windows\system32\taskkill.exe
          taskkill /im explorer.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1512
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Oracle VirtualBox" & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\system32\schtasks.exe
          schtASks /deLeTe /F /Tn "Oracle VirtualBox"
          3⤵
            PID:2092
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A00.tmp.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Windows\system32\timeout.exe
            timeout 5
            3⤵
            • Delays execution with timeout.exe
            PID:2992
          • C:\Windows\explorer.exe
            explorer.exe
            3⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2760
          • C:\Windows\system32\taskkill.exe
            taskkill /im xdwdMicrosoft SQL Server Management Studio.exe /f
            3⤵
            • Kills process with taskkill
            PID:1760
          • C:\Windows\system32\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:2076
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2712
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2056
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
        1⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:5088

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Event Triggered Execution

      1
      T1546

      AppInit DLLs

      1
      T1546.010

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Event Triggered Execution

      1
      T1546

      AppInit DLLs

      1
      T1546.010

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      2
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Windows Credential Manager

      1
      T1555.004

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Peripheral Device Discovery

      2
      T1120

      Query Registry

      4
      T1012

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp6A00.tmp.bat
        Filesize

        292B

        MD5

        4b52877901556624a558a066cbdbf5b4

        SHA1

        a63a09814c40a1bf705b7183e6da0b67e75128a5

        SHA256

        fc43c8b9d3b8ec9d5ec7a82671af5fb9a5a4d0200bf7190077b559c159adfd3e

        SHA512

        b1fed679c118450b85aecaf0455c0807532adb96bc0ff78b52189ef489c561614c9d1ae157f584ccdd863daf114ddddfc1f10fbaba405ce98b17dad7d7736239

        Download Submit

      • C:\Windows\xdwd.dll
        Filesize

        136KB

        MD5

        16e5a492c9c6ae34c59683be9c51fa31

        SHA1

        97031b41f5c56f371c28ae0d62a2df7d585adaba

        SHA256

        35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

        SHA512

        20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

        Download Submit

      • memory/1752-266-0x00007FF846A10000-0x00007FF8474D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1752-0-0x00007FF846A13000-0x00007FF846A15000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1752-107-0x000000001C260000-0x000000001C2D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1752-108-0x0000000002820000-0x000000000282C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1752-109-0x000000001B980000-0x000000001B99E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1752-141-0x00007FF846A13000-0x00007FF846A15000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1752-1-0x0000000000670000-0x00000000006CC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/1752-53-0x00007FF846A10000-0x00007FF8474D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1752-290-0x00007FF846A10000-0x00007FF8474D2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5088-300-0x00000256CBA60000-0x00000256CBB60000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5088-317-0x00000256EDC60000-0x00000256EDD60000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5088-320-0x00000256EE660000-0x00000256EE680000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5088-345-0x00000256EEA30000-0x00000256EEB30000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5088-363-0x00000256EDE20000-0x00000256EDE40000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5088-365-0x00000256EEA10000-0x00000256EEA30000-memory.dmp

        Filesize

        128KB

        Download