Analysis
-
max time kernel
110s -
max time network
28s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:59
Static task
static1
Behavioral task
behavioral1
Sample
91cee6dd31c751aaefb0262491131d80.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
91cee6dd31c751aaefb0262491131d80.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
91cee6dd31c751aaefb0262491131d80.exe
-
Size
448KB
-
MD5
4376d0d5d4d90a28dff32caf78aad03c
-
SHA1
56ba7c2f016235894fed7a7916b68e053f64ebba
-
SHA256
8b162f27e2d079c737d9006f8aadb746b97b863012870fffd443e1636c70e6fb
-
SHA512
95bbed9ba8277d462d979e8e48af6a9bd4f783f74461585fde9c5b4f5039f7ecd00a3c82a5725f2e4de0bc7ff95371064565afcb0306929e53bd07323552f918
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
91cee6dd31c751aaefb0262491131d80.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} 91cee6dd31c751aaefb0262491131d80.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971} 91cee6dd31c751aaefb0262491131d80.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000" 91cee6dd31c751aaefb0262491131d80.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase" 91cee6dd31c751aaefb0262491131d80.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}" 91cee6dd31c751aaefb0262491131d80.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/" 91cee6dd31c751aaefb0262491131d80.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exepid process 1040 91cee6dd31c751aaefb0262491131d80.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exepid process 1040 91cee6dd31c751aaefb0262491131d80.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
91cee6dd31c751aaefb0262491131d80.exedescription pid process Token: SeManageVolumePrivilege 1040 91cee6dd31c751aaefb0262491131d80.exe Token: SeDebugPrivilege 1040 91cee6dd31c751aaefb0262491131d80.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe"C:\Users\Admin\AppData\Local\Temp\91cee6dd31c751aaefb0262491131d80.exe"1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-0-0x00000000007BB000-0x00000000007BC000-memory.dmpFilesize
4KB