Analysis
-
max time kernel
145s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 01:52
Static task
static1
Behavioral task
behavioral1
Sample
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe
Resource
win7-20220718-en
General
-
Target
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe
-
Size
1.3MB
-
MD5
682e1fde77543b2fa45aad3d7332128e
-
SHA1
bd45b2ad0263474e575458a467a86dd9d1359103
-
SHA256
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66
-
SHA512
90e3a93604c969d8c9b48cdd87397c1cab583852e7dd6b99aeb7e0f87f76fe60140be47e191c706532c4ba0f276c661a9acb969a09440b1d7220e0a077ddcfc0
Malware Config
Signatures
-
suricata: ET MALWARE Win32/Kelihos.F Checkin
suricata: ET MALWARE Win32/Kelihos.F Checkin
-
Processes:
resource yara_rule behavioral2/memory/4272-133-0x0000000000400000-0x0000000001BCD000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe" 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exepid process 4272 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe -
Processes:
56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f734773be31d7c83602b8eed86d0eb2f020e34e35997e65fa2cb583f58d1aac53e191603a95f00f560779a3fd7a230e6c4022e4ca8f6be78fa851823990ca9ca840ec65975a92cb7c07267aa0bddd9026d9677f95896bac31fd871c0722bc59d8cdfaba 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DNyokW5LfaoxHcW3+OmwyR2eqN1uxurCcOYUFYNyunjzjVIUiEZyhwwOnbfoDzfT9Q==" 56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe"C:\Users\Admin\AppData\Local\Temp\56bced5a1d1078bca4d0d2ca6f9a6c4e9e1805e84b04a561f29698ad6f7e8c66.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings