Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2022, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
39e53edf45a715e6633966b9cf79a698.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
39e53edf45a715e6633966b9cf79a698.exe
Resource
win10v2004-20220812-en
General
-
Target
39e53edf45a715e6633966b9cf79a698.exe
-
Size
930KB
-
MD5
39e53edf45a715e6633966b9cf79a698
-
SHA1
4af4d12118dcbfe21fca68fac0d5de925d107bec
-
SHA256
979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6
-
SHA512
0d438e1a77d39c09010148d0e428aa688175547193ec97b78b59eef467d94a38c3ddffd0acff48adea39d230917323e3a3a01cc15968e9b350f0cf207c1169f9
-
SSDEEP
24576:ms9stXwB1kWsT0Y5MM0BQwpggFOmH1Ix:OwMv0M0BhgsTVI
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 39e53edf45a715e6633966b9cf79a698.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 39e53edf45a715e6633966b9cf79a698.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 39e53edf45a715e6633966b9cf79a698.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 39e53edf45a715e6633966b9cf79a698.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 39e53edf45a715e6633966b9cf79a698.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 512 39e53edf45a715e6633966b9cf79a698.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 512 39e53edf45a715e6633966b9cf79a698.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 512 wrote to memory of 2176 512 39e53edf45a715e6633966b9cf79a698.exe 95 PID 512 wrote to memory of 2176 512 39e53edf45a715e6633966b9cf79a698.exe 95 PID 512 wrote to memory of 2176 512 39e53edf45a715e6633966b9cf79a698.exe 95 PID 2176 wrote to memory of 2684 2176 cmd.exe 97 PID 2176 wrote to memory of 2684 2176 cmd.exe 97 PID 2176 wrote to memory of 2684 2176 cmd.exe 97 PID 2176 wrote to memory of 736 2176 cmd.exe 98 PID 2176 wrote to memory of 736 2176 cmd.exe 98 PID 2176 wrote to memory of 736 2176 cmd.exe 98 PID 2176 wrote to memory of 2180 2176 cmd.exe 99 PID 2176 wrote to memory of 2180 2176 cmd.exe 99 PID 2176 wrote to memory of 2180 2176 cmd.exe 99 PID 512 wrote to memory of 2412 512 39e53edf45a715e6633966b9cf79a698.exe 100 PID 512 wrote to memory of 2412 512 39e53edf45a715e6633966b9cf79a698.exe 100 PID 512 wrote to memory of 2412 512 39e53edf45a715e6633966b9cf79a698.exe 100 PID 2412 wrote to memory of 2056 2412 cmd.exe 102 PID 2412 wrote to memory of 2056 2412 cmd.exe 102 PID 2412 wrote to memory of 2056 2412 cmd.exe 102 PID 2412 wrote to memory of 1968 2412 cmd.exe 103 PID 2412 wrote to memory of 1968 2412 cmd.exe 103 PID 2412 wrote to memory of 1968 2412 cmd.exe 103 PID 2412 wrote to memory of 2264 2412 cmd.exe 104 PID 2412 wrote to memory of 2264 2412 cmd.exe 104 PID 2412 wrote to memory of 2264 2412 cmd.exe 104 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 39e53edf45a715e6633966b9cf79a698.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 39e53edf45a715e6633966b9cf79a698.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39e53edf45a715e6633966b9cf79a698.exe"C:\Users\Admin\AppData\Local\Temp\39e53edf45a715e6633966b9cf79a698.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:512 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2684
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:736
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2056
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:1968
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key3⤵PID:2264
-
-