ededca3858ac217d88fae09e522be2ff721d86f146a37a01d0de98f7022ceaf6

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

587c60135a92453e154c2b43cb769627.exe
Size

3.6MB
MD5

587c60135a92453e154c2b43cb769627
SHA1

a72589522dad1f2e775bf0357be752b497887044
SHA256

ededca3858ac217d88fae09e522be2ff721d86f146a37a01d0de98f7022ceaf6
SHA512

db98a58d3ed52bb7cfc16ad763126bf2d91fc714b896e22f95026cb39f557e29e0eab87bd025ba6f17bb858e4ca94062516dd39e74b9fc4f6cb9a4d783443187
SSDEEP

98304:xrdjMcy3IJfDBKmMiqn97P/M63hbP92xhDiy9:xr1OCfDdqn97Eobkx39

Score

10^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2724	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2724	schtasks.exe	29

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
752	WmiPrvSE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Uninstall Information\csrss.exe	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	587c60135a92453e154c2b43cb769627.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Characters\System.exe	587c60135a92453e154c2b43cb769627.exe
File created	C:\Windows\Web\Wallpaper\Characters\27d1bcfc3c54e0	587c60135a92453e154c2b43cb769627.exe
File created	C:\Windows\Migration\WTR\winlogon.exe	587c60135a92453e154c2b43cb769627.exe
File created	C:\Windows\Migration\WTR\cc11b995f2a76d	587c60135a92453e154c2b43cb769627.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
2616	schtasks.exe
2116	schtasks.exe
1744	schtasks.exe
2456	schtasks.exe
2200	schtasks.exe
1340	schtasks.exe
2800	schtasks.exe
2572	schtasks.exe
2940	schtasks.exe
2928	schtasks.exe
2776	schtasks.exe
2852	schtasks.exe
296	schtasks.exe
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe
2244	587c60135a92453e154c2b43cb769627.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
752	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	587c60135a92453e154c2b43cb769627.exe
Token: SeDebugPrivilege	752	WmiPrvSE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
752	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2900	2244	587c60135a92453e154c2b43cb769627.exe	45
PID 2244 wrote to memory of 2900	2244	587c60135a92453e154c2b43cb769627.exe	45
PID 2244 wrote to memory of 2900	2244	587c60135a92453e154c2b43cb769627.exe	45
PID 2900 wrote to memory of 2952	2900	cmd.exe	47
PID 2900 wrote to memory of 2952	2900	cmd.exe	47
PID 2900 wrote to memory of 2952	2900	cmd.exe	47
PID 2900 wrote to memory of 2712	2900	cmd.exe	48
PID 2900 wrote to memory of 2712	2900	cmd.exe	48
PID 2900 wrote to memory of 2712	2900	cmd.exe	48
PID 2900 wrote to memory of 752	2900	cmd.exe	50
PID 2900 wrote to memory of 752	2900	cmd.exe	50
PID 2900 wrote to memory of 752	2900	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\587c60135a92453e154c2b43cb769627.exe
"C:\Users\Admin\AppData\Local\Temp\587c60135a92453e154c2b43cb769627.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rQtgPrFlRu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2952
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2712
- - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
    "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Characters\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\Characters\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
3.6MB

MD5
587c60135a92453e154c2b43cb769627

SHA1
a72589522dad1f2e775bf0357be752b497887044

SHA256
ededca3858ac217d88fae09e522be2ff721d86f146a37a01d0de98f7022ceaf6

SHA512
db98a58d3ed52bb7cfc16ad763126bf2d91fc714b896e22f95026cb39f557e29e0eab87bd025ba6f17bb858e4ca94062516dd39e74b9fc4f6cb9a4d783443187

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQtgPrFlRu.bat

Filesize
251B

MD5
81f5a3134f5dfcd4293fd66d7135888e

SHA1
25d5bf22550dfff157b80875aade92f69172a9b7

SHA256
7c28d5d6e74de3ff0a04698de093614ffbb40ff98984ced5be279146ab800d67

SHA512
024d24d2780b0eed8540d12651b95ef4c22f1c0438499eaf76cf8002e1150b18efe017b2505fab9bedff475546324c65a8b89eb5e42528c010c87b46f7177635

Download Submit
memory/752-80-0x00000000002C0000-0x000000000066A000-memory.dmp

Filesize
3.7MB

Download
memory/2244-23-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-77-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-6-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/2244-7-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-8-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-10-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2244-12-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2244-14-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2244-22-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2244-20-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-19-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2244-17-0x00000000002E0000-0x00000000002F8000-memory.dmp

Filesize
96KB

Download
memory/2244-31-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2244-29-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-28-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2244-26-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-25-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2244-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

Filesize
4KB

Download
memory/2244-15-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-4-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-45-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2244-37-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/2244-39-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2244-41-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2244-43-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2244-35-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2244-47-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2244-49-0x000000001AF60000-0x000000001AFBA000-memory.dmp

Filesize
360KB

Download
memory/2244-51-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/2244-53-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2244-55-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2244-57-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

Filesize
96KB

Download
memory/2244-59-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2244-61-0x000000001B430000-0x000000001B47E000-memory.dmp

Filesize
312KB

Download
memory/2244-3-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-33-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2244-1-0x0000000000DB0000-0x000000000115A000-memory.dmp

Filesize
3.7MB

Download