Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:54
Static task
static1
Behavioral task
behavioral1
Sample
PO_121220002941.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO_121220002941.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
PO_121220002941.exe
-
Size
730KB
-
MD5
09cb80f28d47e2082702f4f8f89fe289
-
SHA1
779ea37a1cd013ef3b9c15a431ae411b2095fd36
-
SHA256
5be0aff5e9bf958f99789e62dd5bdf3b63cfe0e57fcbd1c7144d9a5e71f530f7
-
SHA512
7c13a8fc770b960df94d0d4c574e19539ca12de56fa2766500c2b90c05b8e4cd31c7e60ebd7d5a9e19acc41eee4eaf729ef91bf7a4839d31a5a627314d6f0c8d
Score
10/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PO_121220002941.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PO_121220002941.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PO_121220002941.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PO_121220002941.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO_121220002941.exedescription pid process target process PID 1048 set thread context of 916 1048 PO_121220002941.exe PO_121220002941.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
PO_121220002941.exepid process 1048 PO_121220002941.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO_121220002941.exepid process 1048 PO_121220002941.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
PO_121220002941.exepid process 916 PO_121220002941.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO_121220002941.exedescription pid process Token: SeDebugPrivilege 916 PO_121220002941.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PO_121220002941.exedescription pid process target process PID 1048 wrote to memory of 916 1048 PO_121220002941.exe PO_121220002941.exe PID 1048 wrote to memory of 916 1048 PO_121220002941.exe PO_121220002941.exe PID 1048 wrote to memory of 916 1048 PO_121220002941.exe PO_121220002941.exe PID 1048 wrote to memory of 916 1048 PO_121220002941.exe PO_121220002941.exe -
outlook_office_path 1 IoCs
Processes:
PO_121220002941.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PO_121220002941.exe -
outlook_win_path 1 IoCs
Processes:
PO_121220002941.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PO_121220002941.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path