Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:52
Static task
static1
Behavioral task
behavioral1
Sample
scan0007.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
scan0007.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
scan0007.exe
-
Size
775KB
-
MD5
3176b2ec16893db023f902131a692a54
-
SHA1
6f8b228c5af016a1bf56cf13868a69c18132ba68
-
SHA256
7765882da3fa82551473e15f93716036e185b9d88f153fbb1566897dc0f52673
-
SHA512
e15679d4a759cf95c03ace527d0519e6ba71801e4e0bcf20d6da3c26596c9a9e32aedc6e6ba6b985822db86e2637e191ed1f61593d899f1b8b8fff1babe17a87
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
scan0007.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
scan0007.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start" scan0007.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
scan0007.exedescription pid process target process PID 1900 set thread context of 2012 1900 scan0007.exe scan0007.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
scan0007.exepid process 1900 scan0007.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
scan0007.exepid process 1900 scan0007.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
scan0007.exedescription pid process Token: SeDebugPrivilege 2012 scan0007.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
scan0007.exedescription pid process target process PID 1900 wrote to memory of 2012 1900 scan0007.exe scan0007.exe PID 1900 wrote to memory of 2012 1900 scan0007.exe scan0007.exe PID 1900 wrote to memory of 2012 1900 scan0007.exe scan0007.exe PID 1900 wrote to memory of 2012 1900 scan0007.exe scan0007.exe -
outlook_office_path 1 IoCs
Processes:
scan0007.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe -
outlook_win_path 1 IoCs
Processes:
scan0007.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan0007.exe"C:\Users\Admin\AppData\Local\Temp\scan0007.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scan0007.exe"C:\Users\Admin\AppData\Local\Temp\scan0007.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1900-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1900-56-0x00000000004D0000-0x00000000004DA000-memory.dmpFilesize
40KB
-
memory/2012-55-0x0000000000442BD0-mapping.dmp
-
memory/2012-57-0x0000000000270000-0x000000000028C000-memory.dmpFilesize
112KB
-
memory/2012-58-0x0000000000270000-0x000000000028C000-memory.dmpFilesize
112KB
-
memory/2012-60-0x0000000004B45000-0x0000000004B56000-memory.dmpFilesize
68KB