Overview

overview

8

Static

static

3

vTHGfiwMDeoOH5a.exe

windows7-x64

8

Resubmissions

07-10-2024 05:31

241007-f76bwasdpf 8

07-10-2024 03:45

241007-ebh12axgna 8

07-10-2024 03:41

241007-d88ghsxflg 8

07-10-2024 03:38

241007-d7bfdstbkm 8

Analysis

  • max time kernel
    149s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20240729-ja
  • resource tags

    arch:x64arch:x86image:win7-20240729-jalocale:ja-jpos:windows7-x64systemwindows
  • submitted
    07-10-2024 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vTHGfiwMDeoOH5a.exe

  • Size

    785KB

  • MD5

    3aa5992e9a518e4d1a7042a16b10e31d

  • SHA1

    5bce77192abbf2a71a2b19d6b00f08685f569b64

  • SHA256

    cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac

  • SHA512

    518b38137a320e3853e28496485c04c933b68ef34f4ef9b4da363711555ea70c11325d4e05d761d5a4aaa199e684e0da084e0226f319cfe3a29dc00d120fed95

  • SSDEEP

    24576:A0ixK9bqAGf89ojqUk6fT6xuBgptr6svn6v:9ixKp5NX6BBStr6svnu

Score
8/10
discoveryexecutionspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
      "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2964
      • C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
        "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2992
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" C:\Windows\system32\taskschd.msc
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe"
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2116
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
        PID:1644
      • C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
        "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2216
        • C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
          "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1776
      • C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
        "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1552
        • C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
          "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2528
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4fc
      1⤵
        PID:2536

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0dbd1hu.zip
        Filesize

        438KB

        MD5

        9ec4d0fe38cb4de94d578bfd72c8eebd

        SHA1

        e316282a617c5f0c40c488de79c73cf13c8baaf2

        SHA256

        2402c65692d0a822d7931489d1bbf29fa9bfbf210819c1614dd8d2350e747f2f

        SHA512

        a3d1ff3c516cf2c6548e03d68eeaff530acc794e1f76253d46b092183bd762c1126160dd611e0d3ceec5d0664d946e5d154b8dc88b1bccf606b57cfd59a31201

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1863I7301
        Filesize

        46KB

        MD5

        02d2c46697e3714e49f46b680b9a6b83

        SHA1

        84f98b56d49f01e9b6b76a4e21accf64fd319140

        SHA256

        522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

        SHA512

        60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sqlite3.def
        Filesize

        5KB

        MD5

        cd9b704b328573406d319f6e22e043be

        SHA1

        fb88536357cf2a7db522684887affd85ab5747da

        SHA256

        8274a340b59d469c27eb238a7984d250287c7820556a9e2693e8f1ecd907936a

        SHA512

        869ac4a65380ec36254de7309d84d5c98d4b280e71bdcc389f4689bc140ef86ea0eb3e736cb7e906417e40eba79c33dd712cf67099ae26ffeecff78130e2ca29

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        9e2111efd6b1b933bf1b9c1211bf8545

        SHA1

        6590f4e3ab461838f99ea2438809d07a7641e6da

        SHA256

        7bc33a190d4f6a6a1560afaf5130422399eda0fa6b6ca086012a6e6e81a37720

        SHA512

        6c23e2bca284854ab50f8a07dccf29cb84f46438765c45e501bd659c5ab22d3d0e0649d83ee41e760e35032fa8cf381f815a908424b2371d5f259cdd3bfe74bb

        Download Submit

      • \Users\Admin\AppData\Local\Temp\sqlite3.dll
        Filesize

        837KB

        MD5

        e1b58e0aa1b377a1d0e940660ad1ace1

        SHA1

        5afc7291b26855b1252b26381ebc85ed3cca218f

        SHA256

        1b98c006231d38524e2278a474c49274fe42e0bb1a31bcfda02e6e32f559b777

        SHA512

        9ce778bcb586638662b090910c4ceab3b64e16dfaf905a7581c1d349fecdf186995b3cc0dc8c6fc6e9761ea2831d7b14ac1619c2bd5ebc6d18015842e5d94aa2

        Download Submit

      • memory/1232-31-0x0000000000240000-0x0000000000340000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1232-32-0x000000000D310000-0x000000000D3E2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/1568-77-0x0000000000B00000-0x0000000000BCA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1776-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2056-5-0x0000000074830000-0x0000000074F1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2056-3-0x00000000008D0000-0x00000000008E8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2056-6-0x0000000005100000-0x000000000518E000-memory.dmp

        Filesize

        568KB

        Download

      • memory/2056-16-0x0000000074830000-0x0000000074F1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2056-1-0x0000000000DB0000-0x0000000000E7A000-memory.dmp

        Filesize

        808KB

        Download

      • memory/2056-2-0x0000000074830000-0x0000000074F1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2056-7-0x0000000074830000-0x0000000074F1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2056-4-0x000000007483E000-0x000000007483F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2056-0-0x000000007483E000-0x000000007483F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2116-67-0x0000000006A90000-0x0000000006B4E000-memory.dmp

        Filesize

        760KB

        Download

      • memory/2116-71-0x0000000000080000-0x00000000000C4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2116-72-0x0000000006A90000-0x0000000006B4E000-memory.dmp

        Filesize

        760KB

        Download

      • memory/2116-27-0x0000000000080000-0x00000000000C4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2116-30-0x0000000000080000-0x00000000000C4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2748-24-0x000000001D640000-0x000000001D7E8000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2748-25-0x0000000002E90000-0x0000000002E98000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2748-23-0x000000001D2F0000-0x000000001D636000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2748-22-0x0000000002820000-0x000000000282E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2748-21-0x0000000002F20000-0x0000000002F78000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2748-20-0x00000000024F0000-0x000000000250E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2992-29-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2992-26-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2992-19-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2992-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2992-8-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2992-10-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2992-15-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download