Analysis
-
max time kernel
136s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:52
Static task
static1
Behavioral task
behavioral1
Sample
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe
Resource
win10v2004-20220414-en
General
-
Target
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe
-
Size
665KB
-
MD5
4a8da1418107c35e66a2f989efcb8840
-
SHA1
43fd42e02a37ed5f59baa0d37ee58c15aaa9c34f
-
SHA256
895ac50f2f6679f346ecb8d1a8c479da958b43a219245c2f7953c08d5835e5f9
-
SHA512
6ba15dd13f82e5e68b519c74374357f3ce7628c063df6c1a00bf5bf1ffc1e0efc2a372a7edddb5828d6fc6e65bc3b93433f95cd2a266a7b080c2d1902a85d440
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exedescription pid process target process PID 3568 set thread context of 1496 3568 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exepid process 3568 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe 3568 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exepid process 3568 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exepid process 1496 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exedescription pid process Token: SeDebugPrivilege 1496 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exedescription pid process target process PID 3568 wrote to memory of 1496 3568 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe PID 3568 wrote to memory of 1496 3568 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe PID 3568 wrote to memory of 1496 3568 GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
outlook_office_path 1 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe -
outlook_win_path 1 IoCs
Processes:
GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe"C:\Users\Admin\AppData\Local\Temp\GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe"C:\Users\Admin\AppData\Local\Temp\GEN_CMACGM_GeneralExportNotice_CMACGMSAMSON_0PG7JE1MA-AC355A066FA10892E0530A00876036D0.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path