Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
25-03-2022 22:03
Static task
static1
Behavioral task
behavioral1
Sample
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Resource
win10v2004-20220310-en
General
-
Target
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
-
Size
606KB
-
MD5
cade845aeef6b7efa5bedaec0cfbf3dd
-
SHA1
f82b1f1ab56e35f73e36978d762db8c55cc8acd5
-
SHA256
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7
-
SHA512
18ae7f55e723112996dd0dd47aa26a95cefc257b6c775c3404ca9656be7a01ac8453cbf04ce7143289ec97efae89837a795d9e0ef513bfa773263543cc75df0b
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 checkip.dyndns.org 29 freegeoip.app 30 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exedescription pid process target process PID 4724 set thread context of 3352 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exepid process 3352 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exepid process 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exedescription pid process Token: SeDebugPrivilege 3352 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.execmd.exe43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exedescription pid process target process PID 4724 wrote to memory of 400 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe cmd.exe PID 4724 wrote to memory of 400 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe cmd.exe PID 4724 wrote to memory of 400 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe cmd.exe PID 4724 wrote to memory of 3352 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe PID 4724 wrote to memory of 3352 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe PID 4724 wrote to memory of 3352 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe PID 4724 wrote to memory of 3352 4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe PID 400 wrote to memory of 2236 400 cmd.exe schtasks.exe PID 400 wrote to memory of 2236 400 cmd.exe schtasks.exe PID 400 wrote to memory of 2236 400 cmd.exe schtasks.exe PID 3352 wrote to memory of 2372 3352 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe netsh.exe PID 3352 wrote to memory of 2372 3352 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe netsh.exe PID 3352 wrote to memory of 2372 3352 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe -
outlook_win_path 1 IoCs
Processes:
43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe"C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9aa69471a2df40a0858b2e3d548c5149.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9aa69471a2df40a0858b2e3d548c5149.xml"3⤵
- Creates scheduled task(s)
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe"C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3352 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:2372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9aa69471a2df40a0858b2e3d548c5149.xmlMD5
09aeca55d92f28c5ad1869e858c82983
SHA169bab4e284b6fd0d7aa52bf46695b35fe095dd45
SHA256abf5c1f7bdc5a6ed4a86c4d382348012f09e45d41447551edf32ca88942739d1
SHA51244bc92a87f6fc546b970f2cd13e5c24b1e3a8a9cc08c98194d42a2a6bf882e65bd18d9848055accdce22af7caa77a4ff055e27836cbd1bba448fbf55fbb9588d
-
memory/400-134-0x0000000000000000-mapping.dmp
-
memory/2236-137-0x0000000000000000-mapping.dmp
-
memory/2372-142-0x0000000000000000-mapping.dmp
-
memory/3352-135-0x0000000000000000-mapping.dmp
-
memory/3352-139-0x0000000004FD0000-0x000000000506C000-memory.dmpFilesize
624KB
-
memory/3352-140-0x0000000005620000-0x0000000005BC4000-memory.dmpFilesize
5.6MB
-
memory/3352-141-0x00000000050E0000-0x0000000005146000-memory.dmpFilesize
408KB
-
memory/3352-143-0x00000000066E0000-0x00000000068A2000-memory.dmpFilesize
1.8MB
-
memory/4724-136-0x00000000010FA000-0x00000000010FF000-memory.dmpFilesize
20KB