Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:29
Behavioral task
behavioral1
Sample
purchase enquiry.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
purchase enquiry.exe
Resource
win10v2004-20220414-en
General
-
Target
purchase enquiry.exe
-
Size
546KB
-
MD5
5b77be057ea3410693cc26ae322c061e
-
SHA1
e19c07c822b75d7a5c07f46e7cbae7f7793b0c71
-
SHA256
c9baeb663cbaff9bf65fd9f54689c33501c7ad31f71d3ccca1f15ee6789f5fac
-
SHA512
b8c7b7acc21dd641063f6456126a6c8ca460d52622fd78c2eb9f44ae96540b68ebd54be5f53341bf8d58d30cdf4f4a070b66f4aa07cc039269caff357c41024f
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
purchase enquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 purchase enquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 purchase enquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 purchase enquiry.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
purchase enquiry.exepid process 2832 purchase enquiry.exe 2832 purchase enquiry.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
purchase enquiry.exedescription pid process Token: SeDebugPrivilege 2832 purchase enquiry.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
purchase enquiry.exepid process 2832 purchase enquiry.exe 2832 purchase enquiry.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
purchase enquiry.exedescription pid process target process PID 2832 wrote to memory of 5064 2832 purchase enquiry.exe netsh.exe PID 2832 wrote to memory of 5064 2832 purchase enquiry.exe netsh.exe PID 2832 wrote to memory of 5064 2832 purchase enquiry.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
purchase enquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 purchase enquiry.exe -
outlook_win_path 1 IoCs
Processes:
purchase enquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 purchase enquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2832 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile2⤵PID:5064