Overview

overview

10

Static

static

3

Client.exe

windows7-x64

Client.exe

windows10-2004-x64

Analysis

  • max time kernel
    33s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2024, 13:26

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    608KB

  • MD5

    39727583da3ec4b5a2c90f3d098b79fc

  • SHA1

    a2ebefa269b3462f7a85b7af2188ede8ed4f0aac

  • SHA256

    e10cb7d36b757ce8925ae85fa3c2163df542b98866e06468b54abc9c4c9c05d0

  • SHA512

    12c0d9dbd63259cb19cf70b765faf0c6220a3ee8ef6ad7ec6e7638ac4a07c2b701a92e19b8af4a1e859f2b34df159c316653e89ff77b214c71beb5d71170c2a3

  • SSDEEP

    6144:KnR9gbQETjrVwuR7V5Ew1w6Ici19/e6VlWT8b9khzaiMuz3KVjbI4R6SqBUiTVVo:G8bQSVEw14fPVle8Sqvx6Sqx

Score
10/10
credential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3220
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4780
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3388
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\system32\shutdown.exe
        Shutdown /s /f /t 00
        3⤵
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4168
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3945055 /state1:0x41c64e6d
    1⤵
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\xdwd.dll
    Filesize

    136KB

    MD5

    16e5a492c9c6ae34c59683be9c51fa31

    SHA1

    97031b41f5c56f371c28ae0d62a2df7d585adaba

    SHA256

    35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

    SHA512

    20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

    Download Submit

  • memory/2228-0-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2228-1-0x0000000000140000-0x00000000001DE000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2228-2-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2228-18-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-106-0x0000000000B20000-0x0000000000B2C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2228-105-0x000000001D7E0000-0x000000001D856000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2228-107-0x00000000023A0000-0x00000000023BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2228-138-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-169-0x0000000000B40000-0x0000000000B48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2228-173-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

    Filesize

    10.8MB

    Download