Overview

overview

10

Static

static

3

Client.exe

windows7-x64

Client.exe

windows10-2004-x64

Analysis

  • max time kernel
    26s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2024, 13:26

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    608KB

  • MD5

    39727583da3ec4b5a2c90f3d098b79fc

  • SHA1

    a2ebefa269b3462f7a85b7af2188ede8ed4f0aac

  • SHA256

    e10cb7d36b757ce8925ae85fa3c2163df542b98866e06468b54abc9c4c9c05d0

  • SHA512

    12c0d9dbd63259cb19cf70b765faf0c6220a3ee8ef6ad7ec6e7638ac4a07c2b701a92e19b8af4a1e859f2b34df159c316653e89ff77b214c71beb5d71170c2a3

  • SSDEEP

    6144:KnR9gbQETjrVwuR7V5Ew1w6Ici19/e6VlWT8b9khzaiMuz3KVjbI4R6SqBUiTVVo:G8bQSVEw14fPVle8Sqvx6Sqx

Score
10/10
credential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2544
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1776
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:940
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\system32\shutdown.exe
        Shutdown /s /f /t 00
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3048
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2964
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1216

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Event Triggered Execution

      1
      T1546

      AppInit DLLs

      1
      T1546.010

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Event Triggered Execution

      1
      T1546

      AppInit DLLs

      1
      T1546.010

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      2
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Windows Credential Manager

      1
      T1555.004

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\xdwd.dll
        Filesize

        136KB

        MD5

        16e5a492c9c6ae34c59683be9c51fa31

        SHA1

        97031b41f5c56f371c28ae0d62a2df7d585adaba

        SHA256

        35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

        SHA512

        20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

        Download Submit

      • memory/940-53-0x000007FEF7C60000-0x000007FEF7C82000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1984-60-0x000007FEF3240000-0x000007FEF3262000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2164-59-0x000007FEF3240000-0x000007FEF3262000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2180-58-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2180-54-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2180-56-0x0000000000B10000-0x0000000000B1C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2180-57-0x0000000000B20000-0x0000000000B28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2180-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2180-2-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2180-1-0x0000000001250000-0x00000000012EE000-memory.dmp

        Filesize

        632KB

        Download

      • memory/2180-61-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3048-55-0x000007FEF22B0000-0x000007FEF22D2000-memory.dmp

        Filesize

        136KB

        Download