5a8a7b9d70bb4b35c5518dfd8c7a37d07979675ee30d68365b4a8ddab13ebf9d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.exe
Size

1.2MB
MD5

9699ece4aac1cd1af577cdc06f514d52
SHA1

9809b61a6474ea3336e8ce0156195c55b7e05288
SHA256

5a8a7b9d70bb4b35c5518dfd8c7a37d07979675ee30d68365b4a8ddab13ebf9d
SHA512

c7ad3555e9eb233b616146a2e1d324093e076d07cccbe2d0bb3b769109e25bd2b720f2d494890b0bcf14047b8d23b6d194491d8e158b228cc7f4b6a1dc1b90ea
SSDEEP

24576:GAHnh+eWsN3skA4RV1Hom2KXMmHanp9t8FwcqBy46Ne6CBbh5:hh+ZkldoPK8Yanp/ckByxNxC1

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
4956	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023436-16.dat	autoit_exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 3512	4956	name.exe	88
PID 3512 set thread context of 3424	3512	svchost.exe	56
PID 3512 set thread context of 3524	3512	svchost.exe	100
PID 3524 set thread context of 3424	3524	schtasks.exe	56
PID 3524 set thread context of 4868	3524	schtasks.exe	101

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3512	svchost.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4956	name.exe
3512	svchost.exe
3424	Explorer.EXE
3424	Explorer.EXE
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe
3524	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2860	123.exe
2860	123.exe
4956	name.exe
4956	name.exe
3424	Explorer.EXE
3424	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2860	123.exe
2860	123.exe
4956	name.exe
4956	name.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3424	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4956	2860	123.exe	87
PID 2860 wrote to memory of 4956	2860	123.exe	87
PID 2860 wrote to memory of 4956	2860	123.exe	87
PID 4956 wrote to memory of 3512	4956	name.exe	88
PID 4956 wrote to memory of 3512	4956	name.exe	88
PID 4956 wrote to memory of 3512	4956	name.exe	88
PID 4956 wrote to memory of 3512	4956	name.exe	88
PID 3424 wrote to memory of 3524	3424	Explorer.EXE	100
PID 3424 wrote to memory of 3524	3424	Explorer.EXE	100
PID 3424 wrote to memory of 3524	3424	Explorer.EXE	100
PID 3524 wrote to memory of 4868	3524	schtasks.exe	101
PID 3524 wrote to memory of 4868	3524	schtasks.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\123.exe
  "C:\Users\Admin\AppData\Local\Temp\123.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\Temp\123.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\123.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3512
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut8184.tmp

Filesize
265KB

MD5
2bc90cf013e46a426eff53c3ff7832e5

SHA1
cd42a9d6338305c7bdf06db081a2e8f93ba4ffec

SHA256
33944926f3b414b6bf5f7f9516c669428fdcc51c2e2de560ce08107a48f4d7d4

SHA512
f66c3bc24f9f0efd4179d378c3b2cb8567cd164b646c6f749fdc05ffc0108f49176b73088ca163c55c65d8ebccb69074e2a8b89944d5b1dc31af635d8c6e5884

Download Submit
C:\Users\Admin\AppData\Local\Temp\dews

Filesize
28KB

MD5
f5f9c8e83f2adc59d185bf00ee5dbe50

SHA1
f41ba8155ec3e1052bd8d5d1dbdcdc44de4767bc

SHA256
4860f068f6d1d120d39085d035e48b4c17398b2474c3a37a8a3688c3199798c2

SHA512
a128b8af1cc8750c20b134521d386fcbf51185ea6ef25c1568b0d514a4f0dbfb17d6ed903461534cb220607df7930ade82708a53d462f74da3907a57572b8b37

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.2MB

MD5
9699ece4aac1cd1af577cdc06f514d52

SHA1
9809b61a6474ea3336e8ce0156195c55b7e05288

SHA256
5a8a7b9d70bb4b35c5518dfd8c7a37d07979675ee30d68365b4a8ddab13ebf9d

SHA512
c7ad3555e9eb233b616146a2e1d324093e076d07cccbe2d0bb3b769109e25bd2b720f2d494890b0bcf14047b8d23b6d194491d8e158b228cc7f4b6a1dc1b90ea

Download Submit
memory/2860-13-0x0000000003FC0000-0x0000000003FC4000-memory.dmp

Filesize
16KB

Download
memory/3424-48-0x000000000DF00000-0x0000000010468000-memory.dmp

Filesize
37.4MB

Download
memory/3424-47-0x00000000085A0000-0x00000000086AC000-memory.dmp

Filesize
1.0MB

Download
memory/3424-40-0x000000000DF00000-0x0000000010468000-memory.dmp

Filesize
37.4MB

Download
memory/3512-39-0x00000000044E0000-0x0000000004500000-memory.dmp

Filesize
128KB

Download
memory/3512-35-0x0000000001C00000-0x0000000001F4A000-memory.dmp

Filesize
3.3MB

Download
memory/3512-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-34-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-44-0x00000000044E0000-0x0000000004500000-memory.dmp

Filesize
128KB

Download
memory/3512-43-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3524-45-0x0000000001430000-0x000000000177A000-memory.dmp

Filesize
3.3MB

Download
memory/3524-46-0x0000000000CE0000-0x0000000000D1F000-memory.dmp

Filesize
252KB

Download
memory/3524-42-0x0000000000CE0000-0x0000000000D1F000-memory.dmp

Filesize
252KB

Download
memory/3524-41-0x0000000000CE0000-0x0000000000D1F000-memory.dmp

Filesize
252KB

Download
memory/3524-55-0x0000000000CE0000-0x0000000000D1F000-memory.dmp

Filesize
252KB

Download
memory/4868-56-0x000001617EFD0000-0x000001617F079000-memory.dmp

Filesize
676KB

Download