6a2f9d4bccf9e91d8cbe39b28de6ea1b2a6283fb4fb640d17c66ce53e851dd8c

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Attached_Payroll_List.exe
Size

637KB
MD5

0ffe2530b9fe03e3cc710467d04453ea
SHA1

d437359b8290692b59de3aef6db6e40fec57241b
SHA256

6a2f9d4bccf9e91d8cbe39b28de6ea1b2a6283fb4fb640d17c66ce53e851dd8c
SHA512

d514537524c446b2a6f1973f1a85079ce9bfeee4193adcc3bb5f493ded209f46df753c473399b8e715226b352c09158c49943201a129a8df70839fc488562384
SSDEEP

12288:vVmF8Bil3GVQJ8yWXTU4ymUNrRfXQ9LPkZw7TuscS:vVmLl3GuTWXTFCNrR6PewVcS

Score

9^/10

credential_access discovery persistence stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wecutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UJ-0G = "C:\\Program Files (x86)\\Windows Mail\\wab.exe"	wecutil.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	wecutil.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 2932	3012	Attached_Payroll_List.exe	33
PID 2932 set thread context of 1200	2932	wab.exe	21
PID 2932 set thread context of 2792	2932	wab.exe	36
PID 2792 set thread context of 1200	2792	wecutil.exe	21

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wecutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\Registry\User\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wecutil.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100054487856cbc62b46816988e350acb88200000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{DE2B70EC-9BF7-4A93-BD3D-243F7881D492}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Contacts"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3012	Attached_Payroll_List.exe
2932	wab.exe
2932	wab.exe
2932	wab.exe
2932	wab.exe
2932	wab.exe
2932	wab.exe
2932	wab.exe
2932	wab.exe
2792	wecutil.exe
2792	wecutil.exe
2792	wecutil.exe
2792	wecutil.exe
2792	wecutil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2932	wab.exe
1200	Explorer.EXE
1200	Explorer.EXE
2792	wecutil.exe
2792	wecutil.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	Attached_Payroll_List.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2488	3012	Attached_Payroll_List.exe	31
PID 3012 wrote to memory of 2488	3012	Attached_Payroll_List.exe	31
PID 3012 wrote to memory of 2488	3012	Attached_Payroll_List.exe	31
PID 3012 wrote to memory of 2488	3012	Attached_Payroll_List.exe	31
PID 3012 wrote to memory of 2488	3012	Attached_Payroll_List.exe	31
PID 3012 wrote to memory of 2488	3012	Attached_Payroll_List.exe	31
PID 3012 wrote to memory of 2076	3012	Attached_Payroll_List.exe	32
PID 3012 wrote to memory of 2076	3012	Attached_Payroll_List.exe	32
PID 3012 wrote to memory of 2076	3012	Attached_Payroll_List.exe	32
PID 3012 wrote to memory of 2076	3012	Attached_Payroll_List.exe	32
PID 3012 wrote to memory of 2076	3012	Attached_Payroll_List.exe	32
PID 3012 wrote to memory of 2932	3012	Attached_Payroll_List.exe	33
PID 3012 wrote to memory of 2932	3012	Attached_Payroll_List.exe	33
PID 3012 wrote to memory of 2932	3012	Attached_Payroll_List.exe	33
PID 3012 wrote to memory of 2932	3012	Attached_Payroll_List.exe	33
PID 3012 wrote to memory of 2932	3012	Attached_Payroll_List.exe	33
PID 3012 wrote to memory of 2932	3012	Attached_Payroll_List.exe	33
PID 3012 wrote to memory of 2932	3012	Attached_Payroll_List.exe	33
PID 3012 wrote to memory of 2760	3012	Attached_Payroll_List.exe	34
PID 3012 wrote to memory of 2760	3012	Attached_Payroll_List.exe	34
PID 3012 wrote to memory of 2760	3012	Attached_Payroll_List.exe	34
PID 3012 wrote to memory of 2760	3012	Attached_Payroll_List.exe	34
PID 1200 wrote to memory of 2792	1200	Explorer.EXE	36
PID 1200 wrote to memory of 2792	1200	Explorer.EXE	36
PID 1200 wrote to memory of 2792	1200	Explorer.EXE	36
PID 1200 wrote to memory of 2792	1200	Explorer.EXE	36
PID 1200 wrote to memory of 2028	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2028	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2028	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2028	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2148	1200	Explorer.EXE	41
PID 1200 wrote to memory of 2148	1200	Explorer.EXE	41
PID 1200 wrote to memory of 2148	1200	Explorer.EXE	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\Attached_Payroll_List.exe
  "C:\Users\Admin\AppData\Local\Temp\Attached_Payroll_List.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2076
- - C:\Program Files (x86)\Windows Mail\wab.exe
    "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2932
- - C:\Program Files (x86)\Windows Mail\wab.exe
    "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:2760
- C:\Windows\SysWOW64\wecutil.exe
  "C:\Windows\SysWOW64\wecutil.exe"
  2⤵
  - Adds policy Run key to start application
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2792
- C:\Program Files (x86)\Windows Mail\wab.exe
  "C:\Program Files (x86)\Windows Mail\wab.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Program Files\Windows Mail\wab.exe
  "C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Contacts\Admin.contact"
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpx8z.zip

Filesize
431KB

MD5
fa9b7c190006303eecddffa019d0be06

SHA1
a97cebc176b3daa453189f2c0b7cf2a5a70f9c92

SHA256
dc7f8b3493543dc086cb43b66401893597f993408f18b437e5c8e8b5544db0bf

SHA512
4c293ef052a14f7527aa42d451ba5f4cfdf7fb7203f583eda34ef24f4a2fd13975553c432a9354a0f8c1de924b0c29a819bd34c7aaa03b642372496a75be0532

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
825KB

MD5
00a91261929192a7facc32a9f330029a

SHA1
7df4ffdf48a6df0bac21a82d6db56aa11db470dc

SHA256
c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f

SHA512
18a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e

Download Submit
memory/1200-19-0x0000000003BA0000-0x0000000003CA0000-memory.dmp

Filesize
1024KB

Download
memory/1200-34-0x0000000005050000-0x0000000005101000-memory.dmp

Filesize
708KB

Download
memory/1200-32-0x0000000005050000-0x0000000005101000-memory.dmp

Filesize
708KB

Download
memory/1200-31-0x0000000005050000-0x0000000005101000-memory.dmp

Filesize
708KB

Download
memory/1200-27-0x0000000009800000-0x000000000B409000-memory.dmp

Filesize
28.0MB

Download
memory/1200-20-0x0000000009800000-0x000000000B409000-memory.dmp

Filesize
28.0MB

Download
memory/2488-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2792-28-0x0000000000480000-0x000000000051D000-memory.dmp

Filesize
628KB

Download
memory/2792-30-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2792-73-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2792-72-0x0000000061E00000-0x0000000061EBC000-memory.dmp

Filesize
752KB

Download
memory/2792-33-0x0000000000480000-0x000000000051D000-memory.dmp

Filesize
628KB

Download
memory/2792-26-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2792-25-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/2792-21-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2792-22-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2932-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-14-0x0000000000C90000-0x0000000000F93000-memory.dmp

Filesize
3.0MB

Download
memory/2932-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-24-0x0000000000190000-0x00000000001AE000-memory.dmp

Filesize
120KB

Download
memory/2932-18-0x0000000000190000-0x00000000001AE000-memory.dmp

Filesize
120KB

Download
memory/3012-12-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-1-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/3012-3-0x0000000000520000-0x00000000005BC000-memory.dmp

Filesize
624KB

Download
memory/3012-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download