Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-03-2022 18:13
Static task
static1
Behavioral task
behavioral1
Sample
cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
Resource
win7-en-20211208
General
-
Target
cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
-
Size
274KB
-
MD5
1fb07c2ab3bfec07b9f26be7a89a2836
-
SHA1
a93efbd85bf9f8c75504b5faadc338104695cbd1
-
SHA256
cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887
-
SHA512
ed2c6003fba8c691ee3440c7c16fe8eb806604920a2f2139c5569189b47eefff096b746faa1480e76197e62caa42ca4fac9af895cf0c56870c7578fc88c431fb
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/941385512646750268/UCKa4QusV4sl-ZlUe9P2KixgpDTNi6YPhenW1lF7ySWWSwpSUvmDsMY-duLhQIJ0wSpF
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 freegeoip.app 5 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exepid process 1516 cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe 1516 cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe 1516 cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe 1516 cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exedescription pid process Token: SeDebugPrivilege 1516 cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe"C:\Users\Admin\AppData\Local\Temp\cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken