Analysis

  • max time kernel
    112s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-03-2022 08:46

General

  • Target

    805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe

  • Size

    831KB

  • MD5

    4a12053ca1064f8b6e00112a0ba82847

  • SHA1

    5d376b0314575c2d30f38ce6d3e3cc05f584daa2

  • SHA256

    805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4

  • SHA512

    7db505c09c41578e5ced3129266608804fd13cdfb4c48f17d461be73d8a69fafc2c87daf82a3d3ba0832211793e76ac1d5be5237fb3b0e461514f64261e40ec1

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
    "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\73e9eb5fb3c345c4ac116502bcc76332.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\73e9eb5fb3c345c4ac116502bcc76332.xml"
        3⤵
        • Creates scheduled task(s)
        PID:4480
    • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
      "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
      2⤵
        PID:3284
      • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
        "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
        2⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
          "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
          3⤵
            PID:2384
          • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
            "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:448
            • C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe
              "C:\Users\Admin\AppData\Local\Temp\805ecde4c728771f0da5ba23cd49865e2ce75910b7e1f68e4cb040ce5949d4e4.exe"
              4⤵
              • Checks computer location settings
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • outlook_office_path
              • outlook_win_path
              PID:1824

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\73e9eb5fb3c345c4ac116502bcc76332.xml

        Filesize

        1KB

        MD5

        c673ecc050b1038f727be09aa61cb4b1

        SHA1

        d2960b6d62810ce8745f6353d6924ae79af01e7e

        SHA256

        8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4

        SHA512

        d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6

      • memory/1824-139-0x0000000005D70000-0x0000000005E02000-memory.dmp

        Filesize

        584KB

      • memory/1824-138-0x0000000005870000-0x00000000058D6000-memory.dmp

        Filesize

        408KB

      • memory/1824-140-0x00000000063C0000-0x0000000006964000-memory.dmp

        Filesize

        5.6MB

      • memory/1824-141-0x00000000053F7000-0x00000000053F9000-memory.dmp

        Filesize

        8KB

      • memory/1824-142-0x0000000007090000-0x00000000070E0000-memory.dmp

        Filesize

        320KB

      • memory/1824-143-0x0000000007070000-0x000000000707A000-memory.dmp

        Filesize

        40KB

      • memory/1824-144-0x00000000072B0000-0x000000000734C000-memory.dmp

        Filesize

        624KB