ededca3858ac217d88fae09e522be2ff721d86f146a37a01d0de98f7022ceaf6

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

587c60135a92453e154c2b43cb769627.exe
Size

3.6MB
MD5

587c60135a92453e154c2b43cb769627
SHA1

a72589522dad1f2e775bf0357be752b497887044
SHA256

ededca3858ac217d88fae09e522be2ff721d86f146a37a01d0de98f7022ceaf6
SHA512

db98a58d3ed52bb7cfc16ad763126bf2d91fc714b896e22f95026cb39f557e29e0eab87bd025ba6f17bb858e4ca94062516dd39e74b9fc4f6cb9a4d783443187
SSDEEP

98304:xrdjMcy3IJfDBKmMiqn97P/M63hbP92xhDiy9:xr1OCfDdqn97Eobkx39

Score

10^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2424	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2424	schtasks.exe	88

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	587c60135a92453e154c2b43cb769627.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	lsass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\56085415360792	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5b884080fd4f94	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files\Windows Defender\de-DE\taskhostw.exe	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files\Windows Defender\de-DE\ea9f0e6c9e2dcd	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files\WindowsApps\587c60135a92453e154c2b43cb769627.exe	587c60135a92453e154c2b43cb769627.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\wininit.exe	587c60135a92453e154c2b43cb769627.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3668	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	587c60135a92453e154c2b43cb769627.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3668	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
436	schtasks.exe
2872	schtasks.exe
2328	schtasks.exe
4704	schtasks.exe
4876	schtasks.exe
4740	schtasks.exe
4592	schtasks.exe
1052	schtasks.exe
3148	schtasks.exe
5048	schtasks.exe
2440	schtasks.exe
4412	schtasks.exe
1292	schtasks.exe
4764	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe
1660	587c60135a92453e154c2b43cb769627.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	587c60135a92453e154c2b43cb769627.exe
Token: SeDebugPrivilege	2188	lsass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2188	lsass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 908	1660	587c60135a92453e154c2b43cb769627.exe	104
PID 1660 wrote to memory of 908	1660	587c60135a92453e154c2b43cb769627.exe	104
PID 908 wrote to memory of 2360	908	cmd.exe	106
PID 908 wrote to memory of 2360	908	cmd.exe	106
PID 908 wrote to memory of 3668	908	cmd.exe	107
PID 908 wrote to memory of 3668	908	cmd.exe	107
PID 908 wrote to memory of 2188	908	cmd.exe	109
PID 908 wrote to memory of 2188	908	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\587c60135a92453e154c2b43cb769627.exe
"C:\Users\Admin\AppData\Local\Temp\587c60135a92453e154c2b43cb769627.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KvyrV9xtqu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2360
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3668
- - C:\Users\Default User\lsass.exe
    "C:\Users\Default User\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\de-DE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\de-DE\taskhostw.exe

Filesize
3.6MB

MD5
587c60135a92453e154c2b43cb769627

SHA1
a72589522dad1f2e775bf0357be752b497887044

SHA256
ededca3858ac217d88fae09e522be2ff721d86f146a37a01d0de98f7022ceaf6

SHA512
db98a58d3ed52bb7cfc16ad763126bf2d91fc714b896e22f95026cb39f557e29e0eab87bd025ba6f17bb858e4ca94062516dd39e74b9fc4f6cb9a4d783443187

Download Submit
C:\Users\Admin\AppData\Local\Temp\KvyrV9xtqu.bat

Filesize
159B

MD5
9994aa55f5b801113dbe235d68f8136d

SHA1
222de2c5827f99c493d931f94aec705f7a27a044

SHA256
d6298f6c9d2a30992e72f7873ff358c68c9595b7e8e094882f47cc076bdcf2eb

SHA512
acbd64031ab6075e512ae58f701657cf50ce72798041e5bb41ce4515a9d1cb7528d2bd01e737a86c77da7112bcf2cb79d4e844c9273ea76d0709962e8264c62d

Download Submit
memory/1660-32-0x000000001D2A0000-0x000000001D7C8000-memory.dmp

Filesize
5.2MB

Download
memory/1660-8-0x0000000002F80000-0x0000000002F9C000-memory.dmp

Filesize
112KB

Download
memory/1660-6-0x0000000001600000-0x000000000160E000-memory.dmp

Filesize
56KB

Download
memory/1660-34-0x000000001CCB0000-0x000000001CCBE000-memory.dmp

Filesize
56KB

Download
memory/1660-9-0x000000001CCC0000-0x000000001CD10000-memory.dmp

Filesize
320KB

Download
memory/1660-36-0x000000001CD10000-0x000000001CD1C000-memory.dmp

Filesize
48KB

Download
memory/1660-13-0x000000001BA90000-0x000000001BAA8000-memory.dmp

Filesize
96KB

Download
memory/1660-15-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/1660-17-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/1660-19-0x00000000016C0000-0x00000000016CE000-memory.dmp

Filesize
56KB

Download
memory/1660-21-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

Filesize
48KB

Download
memory/1660-23-0x000000001CC90000-0x000000001CCA2000-memory.dmp

Filesize
72KB

Download
memory/1660-25-0x000000001CC70000-0x000000001CC7C000-memory.dmp

Filesize
48KB

Download
memory/1660-27-0x000000001CC80000-0x000000001CC90000-memory.dmp

Filesize
64KB

Download
memory/1660-29-0x000000001CD30000-0x000000001CD46000-memory.dmp

Filesize
88KB

Download
memory/1660-31-0x000000001CD50000-0x000000001CD62000-memory.dmp

Filesize
72KB

Download
memory/1660-0-0x0000000000950000-0x0000000000CFA000-memory.dmp

Filesize
3.7MB

Download
memory/1660-4-0x0000000001670000-0x0000000001696000-memory.dmp

Filesize
152KB

Download
memory/1660-11-0x0000000001610000-0x0000000001620000-memory.dmp

Filesize
64KB

Download
memory/1660-38-0x000000001CD20000-0x000000001CD30000-memory.dmp

Filesize
64KB

Download
memory/1660-40-0x000000001CD70000-0x000000001CD80000-memory.dmp

Filesize
64KB

Download
memory/1660-42-0x000000001CDE0000-0x000000001CE3A000-memory.dmp

Filesize
360KB

Download
memory/1660-44-0x000000001CD80000-0x000000001CD8E000-memory.dmp

Filesize
56KB

Download
memory/1660-46-0x000000001CD90000-0x000000001CDA0000-memory.dmp

Filesize
64KB

Download
memory/1660-48-0x000000001CDA0000-0x000000001CDAE000-memory.dmp

Filesize
56KB

Download
memory/1660-50-0x000000001D040000-0x000000001D058000-memory.dmp

Filesize
96KB

Download
memory/1660-52-0x000000001CDB0000-0x000000001CDBC000-memory.dmp

Filesize
48KB

Download
memory/1660-54-0x000000001D0B0000-0x000000001D0FE000-memory.dmp

Filesize
312KB

Download
memory/1660-2-0x00007FF9B9FF0000-0x00007FF9BA0F0000-memory.dmp

Filesize
1024KB

Download
memory/1660-70-0x000000001DAD0000-0x000000001DB9D000-memory.dmp

Filesize
820KB

Download
memory/1660-72-0x00007FF9B9FF0000-0x00007FF9BA0F0000-memory.dmp

Filesize
1024KB

Download
memory/1660-71-0x000000001DBA0000-0x000000001DC49000-memory.dmp

Filesize
676KB

Download
memory/1660-1-0x00007FF9B9FF0000-0x00007FF9BA0F0000-memory.dmp

Filesize
1024KB

Download
memory/2188-102-0x000000001D200000-0x000000001D2CD000-memory.dmp

Filesize
820KB

Download
memory/2188-103-0x000000001D2D0000-0x000000001D379000-memory.dmp

Filesize
676KB

Download