Resubmissions
10-10-2024 02:19
241010-crx4sazhnm 10Analysis
-
max time kernel
119s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
10-10-2024 02:19
General
-
Target
Samples - 10-09-2024/4ac2ddb4fa2d1917ae491b5ac623e7ebf23e5e34667c63e5acd433cc6696c23d.exe
-
Size
3.3MB
-
MD5
3c9cf0b38226e2a7f0191a0130536859
-
SHA1
87d531257a15e18b50fa341bce9ac3c5a71ba80d
-
SHA256
4ac2ddb4fa2d1917ae491b5ac623e7ebf23e5e34667c63e5acd433cc6696c23d
-
SHA512
ad6bc0c26b6adbb7ead5db17fb4fd4285bcfd623531f41ad6ae31e97a1e760a59f36de05eab0e298e0892fea03d4a4c2ae389d90036c784edb44e61d7a8161d2
-
SSDEEP
49152:uGmcpg5vS+c8OorsMzNRK6v1hFXefh0iMB+0b+N/uyVbVihyXYuIS:t0vfxoEe6vHFXgh5cb+NhqlS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ac2ddb4fa2d1917ae491b5ac623e7ebf23e5e34667c63e5acd433cc6696c23d.exe"C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ac2ddb4fa2d1917ae491b5ac623e7ebf23e5e34667c63e5acd433cc6696c23d.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fws2z52w\fws2z52w.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5946.tmp" "c:\Windows\System32\CSCFED99657FBEE4E9683585A3179A05437.TMP"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kDSUZmuH6d.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD53c9cf0b38226e2a7f0191a0130536859
SHA187d531257a15e18b50fa341bce9ac3c5a71ba80d
SHA2564ac2ddb4fa2d1917ae491b5ac623e7ebf23e5e34667c63e5acd433cc6696c23d
SHA512ad6bc0c26b6adbb7ead5db17fb4fd4285bcfd623531f41ad6ae31e97a1e760a59f36de05eab0e298e0892fea03d4a4c2ae389d90036c784edb44e61d7a8161d2
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD545f53352160cf0903c729c35c8edfdce
SHA1b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA2569cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3
-
Filesize
944B
MD5aa4f31835d07347297d35862c9045f4a
SHA183e728008935d30f98e5480fba4fbccf10cefb05
SHA25699c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629
-
Filesize
1KB
MD55f516b4ae1bd0892f59a6554955cb549
SHA136759ce6f6f6a366731edb75354eef0b10b9e510
SHA256cb974aeb2ed4ae5bc12fb76bf8917fd57621f4d3fccdf5c575dc1c9ff1166a0a
SHA512c07e3dd27c86207ad775c2de98c471a10c0b78946671aa40b27140587c50cf8ce4603affdc84cf10812e3d9936528b45d712dc314d1a39da6e7e38077c652e89
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
209B
MD5449fc50a59530775ddcd421cfd6fcd77
SHA1146e2c8976cf28fcdd5e27d1b95ddc8f049ae948
SHA256206aef375bb408a1790795479b96b3abdc162496f87c51a976a21284345b6e50
SHA5127afd0067b1d1f53ec9bed761fc650a43ac34ca1af740ab1e8daa0c51834dbe05d64c97e9b6846f3a8817ca2797d18d9a355e0634adf79db157ea7d08c30b7a4a
-
Filesize
365B
MD52ca0f046cc378e8ccaa2ea77ecb5f4b2
SHA14e2e1b1c3675568cdf435c2fa99c78c21e46c57f
SHA25656a3e5a8dc21ba87657762c79e5a6850897912e47eac5011307acff0d8318473
SHA5127596478da1b4ca0d0b0eb5f973db4d314644abaaa500fc6b5eef2e2b945a60c3aaeeb1b75e54dfd2947903b9a97608109d808034aafef3b08f7905e721556229
-
Filesize
235B
MD5abd7055e334f8cda89e16fe080bac37d
SHA18eb953d8b8ec9e5d51938c8f11d2561734e237fb
SHA256cca976d27cb9ff92dfa0b92d30a791f935e6d630e64682c707070a70e5943282
SHA512fa9185f749afbc8db4c7c74ebaef6fe8cb95dc78847d1f021626930df60a02a11dcc7aa47f433447f71169663d280a681f79d129d50ae766c2a0f063a9a0df5d
-
Filesize
1KB
MD5d89c8eda5ccd9b9600f2962d9a95e453
SHA1e5d9f7603b9bc8339c9bc451e8ad7c67b1916d95
SHA2569b274ee8615f4208df254a0fc6abb2b0d8be71defecba04292fcc69cef64387b
SHA5129c4f365e362069a6256c8d7691f217e1ae01a3af2218cdc400f77d7dc9af9d3634b234338b9cc562fd146ebcc8034dfd313cd9d3aa2df2e20876e6641c6d9055
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
10.8MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
3.7MB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
3.7MB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
3.7MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
312KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
32KB
-
Filesize
136KB