Analysis

  • max time kernel
    138s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2022, 14:32

General

  • Target

    39e53edf45a715e6633966b9cf79a698.exe

  • Size

    930KB

  • MD5

    39e53edf45a715e6633966b9cf79a698

  • SHA1

    4af4d12118dcbfe21fca68fac0d5de925d107bec

  • SHA256

    979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6

  • SHA512

    0d438e1a77d39c09010148d0e428aa688175547193ec97b78b59eef467d94a38c3ddffd0acff48adea39d230917323e3a3a01cc15968e9b350f0cf207c1169f9

  • SSDEEP

    24576:ms9stXwB1kWsT0Y5MM0BQwpggFOmH1Ix:OwMv0M0BhgsTVI

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39e53edf45a715e6633966b9cf79a698.exe
    "C:\Users\Admin\AppData\Local\Temp\39e53edf45a715e6633966b9cf79a698.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:512
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2684
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:736
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:2056
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show profile name="65001" key=clear
                3⤵
                  PID:1968
                • C:\Windows\SysWOW64\findstr.exe
                  findstr Key
                  3⤵
                    PID:2264

              Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/512-138-0x0000000013030000-0x00000000130CC000-memory.dmp

                      Filesize

                      624KB

                    • memory/512-134-0x0000000012960000-0x00000000129F2000-memory.dmp

                      Filesize

                      584KB

                    • memory/512-135-0x0000000012A10000-0x0000000012A76000-memory.dmp

                      Filesize

                      408KB

                    • memory/512-132-0x0000000000AB0000-0x0000000000B0D000-memory.dmp

                      Filesize

                      372KB

                    • memory/512-137-0x0000000012FD0000-0x0000000013020000-memory.dmp

                      Filesize

                      320KB

                    • memory/512-133-0x0000000011880000-0x0000000011E24000-memory.dmp

                      Filesize

                      5.6MB