Analysis
-
max time kernel
161s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 02:31
Behavioral task
behavioral1
Sample
24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe
-
Size
530KB
-
MD5
a3a6614e47512951bb08022e63f6cb53
-
SHA1
1c6448302dfc12335a0f487e9eb26eee9e44fb37
-
SHA256
24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c
-
SHA512
bc2cee3810f64a32c9df33efd7fddfd659328476156febaab5872ff052c5dcc35be8f4618239e632fa5ef165dac8fc6f02cb0fc26f395c3efdd0f2df4965ccd4
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.execmd.exedescription pid process target process PID 452 wrote to memory of 1656 452 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe PID 452 wrote to memory of 1656 452 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe PID 452 wrote to memory of 1656 452 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe PID 452 wrote to memory of 1656 452 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe PID 1656 wrote to memory of 392 1656 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe cmd.exe PID 1656 wrote to memory of 392 1656 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe cmd.exe PID 1656 wrote to memory of 392 1656 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe cmd.exe PID 1656 wrote to memory of 392 1656 24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe cmd.exe PID 392 wrote to memory of 808 392 cmd.exe PING.EXE PID 392 wrote to memory of 808 392 cmd.exe PING.EXE PID 392 wrote to memory of 808 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe"C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exeC:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe dfsr2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/392-60-0x0000000000000000-mapping.dmp
-
memory/452-56-0x00000000001B0000-0x00000000001BE000-memory.dmpFilesize
56KB
-
memory/452-58-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/452-54-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/808-61-0x0000000000000000-mapping.dmp
-
memory/1656-55-0x0000000000000000-mapping.dmp
-
memory/1656-59-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB