Analysis
-
max time kernel
173s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:52
Static task
static1
Behavioral task
behavioral1
Sample
scan0007.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
scan0007.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
scan0007.exe
-
Size
775KB
-
MD5
3176b2ec16893db023f902131a692a54
-
SHA1
6f8b228c5af016a1bf56cf13868a69c18132ba68
-
SHA256
7765882da3fa82551473e15f93716036e185b9d88f153fbb1566897dc0f52673
-
SHA512
e15679d4a759cf95c03ace527d0519e6ba71801e4e0bcf20d6da3c26596c9a9e32aedc6e6ba6b985822db86e2637e191ed1f61593d899f1b8b8fff1babe17a87
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
scan0007.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
scan0007.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start" scan0007.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
scan0007.exedescription pid process target process PID 2664 set thread context of 2456 2664 scan0007.exe scan0007.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
scan0007.exepid process 2664 scan0007.exe 2664 scan0007.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
scan0007.exepid process 2664 scan0007.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
scan0007.exedescription pid process Token: SeDebugPrivilege 2456 scan0007.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
scan0007.exedescription pid process target process PID 2664 wrote to memory of 2456 2664 scan0007.exe scan0007.exe PID 2664 wrote to memory of 2456 2664 scan0007.exe scan0007.exe PID 2664 wrote to memory of 2456 2664 scan0007.exe scan0007.exe -
outlook_office_path 1 IoCs
Processes:
scan0007.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe -
outlook_win_path 1 IoCs
Processes:
scan0007.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scan0007.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan0007.exe"C:\Users\Admin\AppData\Local\Temp\scan0007.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\scan0007.exe"C:\Users\Admin\AppData\Local\Temp\scan0007.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2456-130-0x0000000000000000-mapping.dmp
-
memory/2456-132-0x00000000008E0000-0x00000000008FC000-memory.dmpFilesize
112KB
-
memory/2456-131-0x00000000008E0000-0x00000000008FC000-memory.dmpFilesize
112KB
-
memory/2456-134-0x00000000049C0000-0x0000000004A5C000-memory.dmpFilesize
624KB
-
memory/2456-135-0x0000000004AA0000-0x0000000005044000-memory.dmpFilesize
5.6MB
-
memory/2456-136-0x0000000005090000-0x0000000005122000-memory.dmpFilesize
584KB
-
memory/2456-137-0x00000000052B0000-0x00000000052BA000-memory.dmpFilesize
40KB
-
memory/2456-138-0x0000000005300000-0x0000000005356000-memory.dmpFilesize
344KB
-
memory/2456-139-0x0000000008A00000-0x0000000008A66000-memory.dmpFilesize
408KB
-
memory/2664-133-0x0000000002460000-0x000000000246A000-memory.dmpFilesize
40KB