Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 01:52
Static task
static1
Behavioral task
behavioral1
Sample
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe
Resource
win7-20220718-en
General
-
Target
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe
-
Size
1.3MB
-
MD5
682e1fde77543b2fa45aad3d7332128e
-
SHA1
bd45b2ad0263474e575458a467a86dd9d1359103
-
SHA256
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66
-
SHA512
90e3a93604c969d8c9b48cdd87397c1cab583852e7dd6b99aeb7e0f87f76fe60140be47e191c706532c4ba0f276c661a9acb969a09440b1d7220e0a077ddcfc0
Malware Config
Signatures
-
suricata: ET MALWARE Win32/Kelihos.F Checkin
suricata: ET MALWARE Win32/Kelihos.F Checkin
-
Processes:
resource yara_rule behavioral1/memory/944-56-0x0000000000400000-0x0000000001BCD000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe" 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exepid process 944 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe"C:\Users\Admin\AppData\Local\Temp\56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger