Overview

overview

10

Static

static

3

78fee239cf...cc.exe

windows7-x64

10

78fee239cf...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc.exe

  • Size

    7.7MB

  • MD5

    58509394a423edb98b0b1be7f18551ab

  • SHA1

    4b7a8ff6ec8bd5908e306cb23d2b84ce3ff03ec3

  • SHA256

    78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc

  • SHA512

    41ec27bb184d55d84b3e7150df35d2229cf93ae389fc4f8b9f8bded29fb730661ddc3a21d6d926f6d98cc169e851e44928fb2058bd898d96924f69e301350b9a

  • SSDEEP

    196608:GPtx5dUAuaAxSTZLvD6/x1R92cJUMo7xS6:ctx5dUARAh5n9/GMolS6

Score
10/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc.exe
    "C:\Users\Admin\AppData\Local\Temp\78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\blockhostnet\iXSXm.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\blockhostnet\msinto.exe
            "C:\blockhostnet/msinto.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3yeaw0c0\3yeaw0c0.cmdline"
              6⤵
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1444
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE62A.tmp" "c:\Windows\System32\CSCEBE187E8DBD34BEEABDA99296C627E70.TMP"
                7⤵
                  PID:2024
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\brZKstCVzA.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3012
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:920
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:792
                    • C:\MSOCache\All Users\cmd.exe
                      "C:\MSOCache\All Users\cmd.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:320
          • C:\Users\Admin\AppData\Local\Temp\explorer.exe
            "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              3⤵
                PID:3040
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msintom" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\msinto.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msinto" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\msinto.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1276
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msintom" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\msinto.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1984
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\PERFLIB\040C\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\inf\PERFLIB\040C\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2824
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\PERFLIB\040C\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2196
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2884
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1128
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:580
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msintom" /sc MINUTE /mo 5 /tr "'C:\blockhostnet\msinto.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msinto" /sc ONLOGON /tr "'C:\blockhostnet\msinto.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "msintom" /sc MINUTE /mo 12 /tr "'C:\blockhostnet\msinto.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1808

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RESE62A.tmp
            Filesize

            1KB

            MD5

            485a465631aa2eccb48a971c41adeb9e

            SHA1

            86aa01b9b6c57d209aba4d3029918543da2c84ea

            SHA256

            b56662dcc002feb4b40f6530d289504908e6c0f2d307463acdf89388ff8ca268

            SHA512

            0a8f2404f0cef5c345aa98aabdfc33f5cad8038a202e43effd0f48d12248fe9ba77665befc87db5f27995c4e4e52174194a6d80e239ab641fe52f3cbde0fda13

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\brZKstCVzA.bat
            Filesize

            205B

            MD5

            4607a7853f42b0620c29cb1cabe1a3de

            SHA1

            1ab914a36b2e54c8d5dde8f0c9a41d7eb2811582

            SHA256

            875d45a04ed3a795f575c0070f47f6423acd83bf8b4bb9900a7fd8172be33c78

            SHA512

            18584be31f8e5d5c8ccbcde75f395f1c05873875253bc18fd431f4a6b88c1165a249d5cb00e25cd137a95f42f7b91a341fa00ecb4ea8fe340248b61779a32147

            Download Submit

          • C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe
            Filesize

            196B

            MD5

            8f9afb736d7dcaf92555a19215fa5c7b

            SHA1

            f735f020e772ac67b5ed87c15d110973980e271b

            SHA256

            d78691f9757ea266450f639553638bdb3f7383341298578a2f4096a7096b2fb4

            SHA512

            69d27657031b6b8c8c9d266f8498a824a13434d62d80144cb5966e26b4e2b2e2e43247af31dc5d845b1a771e267e71ba59dcbcb04f532bce8892a462c035d10b

            Download Submit

          • C:\blockhostnet\iXSXm.bat
            Filesize

            71B

            MD5

            5b64fe1545fbf11ec2bf13e3cf7579db

            SHA1

            bc17a73a181ca2e2dd489173e12861416e6db274

            SHA256

            579e774b18b84f5d6cba055a2ed46893b438ee98317efafa9837c6e796f6496f

            SHA512

            8e44c179350d5554299c303d54b30c934eff8ed69f807bb810d93087085909d8306eb0f3a7476fc6707c4565c0958e720b8086e5c038e2f337b79f310203c153

            Download Submit

          • C:\blockhostnet\msinto.exe
            Filesize

            1.8MB

            MD5

            83152560524b250c6c27561117df37fe

            SHA1

            f17613b0d3ec3d46a51daf0ca011ff7dc8a8d53a

            SHA256

            72bcbcb256f87968ad40aef6b4dac464921ce8f66cdc242b65eb6e9f23b3ca80

            SHA512

            7793eb5dcc26a00a0c72a07dd084a99d2b41e87e995a25040dd183bd84e94fce652eb896f0eafaa717bd97a67b8d1bb8e7a28b4c7ea4f39c15532881304a218c

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\3yeaw0c0\3yeaw0c0.0.cs
            Filesize

            385B

            MD5

            6bf7429035a7ac340773e48d47cf646a

            SHA1

            515df3140c6e2c9c8c7ad6e2f8b6d3e22baf9743

            SHA256

            cb4e5bd3695ba7f1d4316039314109c92adf39cd2a2e1a027937cd0791f60466

            SHA512

            2de40e0a32cbd98eb3bfc1170ac5a142f8b1a2662bfb5c91a140d23f476f328011311145053b8d21d935a7fb54b343dbf9b9186b8f4af9c54db0ae88671d7868

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\3yeaw0c0\3yeaw0c0.cmdline
            Filesize

            235B

            MD5

            1ddaa785385e0e6763e3967f29792cb2

            SHA1

            b2fd99eb40c0cff8cc59cf982b366e93f1689bce

            SHA256

            cb53582b52070db36ca5009a2a4fee83bab84ae1668efa6c7db7ffca0afba3ce

            SHA512

            1de48b6718c5d18f1c1139fb35e78b0ed3472c66dbe0ae9fb2dc0f26dad15b05ef509f477f70f60e62e6eb8caf956e1fa9522445fb5389221a520ed8a9b0e530

            Download Submit

          • \??\c:\Windows\System32\CSCEBE187E8DBD34BEEABDA99296C627E70.TMP
            Filesize

            1KB

            MD5

            dcd286f3a69cfd0292a8edbc946f8553

            SHA1

            4d347ac1e8c1d75fc139878f5646d3a0b083ef17

            SHA256

            29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

            SHA512

            4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

            Download Submit

          • \Users\Admin\AppData\Local\Temp\explorer.exe
            Filesize

            5.5MB

            MD5

            52aaa8c3fd6b813b713ae05ab9e4829c

            SHA1

            d4ac8addbe5e15e867afe58f4bbb8319395ad38e

            SHA256

            0c30d4cb510304d4ce140952f8ce316056cc4bc552cef78a81fd5301aecc1fd2

            SHA512

            c39bba95a8554f1115d0362bad33901fd87e00d5de7671cd48d7b537c97889882b9009a83948087cf8516a32588e4ef831531977740b17a2791cec927934fdd8

            Download Submit

          • \Users\Admin\AppData\Local\Temp\svchost.exe
            Filesize

            2.1MB

            MD5

            a87cb2a1e23600c28c1a8e6a5c6a1c52

            SHA1

            8d8dabcca9b1265a12b4e5a00d517930305468b6

            SHA256

            1ba3c880a6c5d379e7257e3bb14f9aa6b2d836562e5ad0439f219fa76b3d9dca

            SHA512

            23a9132c0eaf6725e42a974c656a8cb5792a67f7eb7e32d33041fb72f45780f97ecfb6822c8099bd7f425fb142dfa6e0e3dbd46b1736d70551c32eb910dbd280

            Download Submit

          • memory/320-80-0x00000000003B0000-0x000000000058A000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2408-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2408-1-0x0000000000E50000-0x0000000001602000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2576-31-0x0000000077A90000-0x0000000077A92000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2576-24-0x0000000077A80000-0x0000000077A82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2576-26-0x0000000077A80000-0x0000000077A82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2576-28-0x0000000077A80000-0x0000000077A82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2576-29-0x0000000077A90000-0x0000000077A92000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2576-34-0x0000000140000000-0x00000001408C1000-memory.dmp

            Filesize

            8.8MB

            Download

          • memory/2576-33-0x0000000077A90000-0x0000000077A92000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2660-41-0x0000000000D00000-0x0000000000EDA000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2660-43-0x0000000000300000-0x000000000030E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2660-45-0x00000000006A0000-0x00000000006BC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2660-47-0x00000000006C0000-0x00000000006D8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2660-49-0x0000000000310000-0x000000000031C000-memory.dmp

            Filesize

            48KB

            Download