Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
UDO_Device_Enrolment.exe
Resource
win7-20220812-en
General
-
Target
UDO_Device_Enrolment.exe
-
Size
203KB
-
MD5
33d42728d32ae2eae31e4e1666b9b41c
-
SHA1
8eb8f3dd4394d95cbe0294903f11df25966e483a
-
SHA256
125fabbc234e4aef84704adad60213c510611aa5ee1a86fc238d6497df121e21
-
SHA512
9548f6328c27b0616ab4a44fa05735189ec14eb5bf302616877faa3a8c2473a378266ffd2435c7f578f99776ec4d1d6e3d82ac71df70bdf18161f6062360c27a
-
SSDEEP
768:h4KUggNBTPsmV5II2Q0oXbOfq1mkmjJKQfsPE2d1NL3gkGMsG:h4KUggTTPRiQLbOamUPRvR3zG
Malware Config
Extracted
Protocol: smtp- Host:
smtp-mail.outlook.com - Port:
587 - Username:
udoderbymain@outlook.com - Password:
Derbyuni2021
Signatures
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\temp\Windows32\WebBrowserPassView.exe WebBrowserPassView C:\temp\Windows32\WebBrowserPassView.exe WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\temp\Windows32\WebBrowserPassView.exe Nirsoft C:\temp\Windows32\WebBrowserPassView.exe Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
WebBrowserPassView.exepid process 4656 WebBrowserPassView.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
UDO_Device_Enrolment.exeWebBrowserPassView.exepid process 904 UDO_Device_Enrolment.exe 4656 WebBrowserPassView.exe 4656 WebBrowserPassView.exe 4656 WebBrowserPassView.exe 4656 WebBrowserPassView.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
UDO_Device_Enrolment.exedescription pid process Token: SeDebugPrivilege 904 UDO_Device_Enrolment.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
UDO_Device_Enrolment.exedescription pid process target process PID 904 wrote to memory of 4656 904 UDO_Device_Enrolment.exe WebBrowserPassView.exe PID 904 wrote to memory of 4656 904 UDO_Device_Enrolment.exe WebBrowserPassView.exe PID 904 wrote to memory of 4656 904 UDO_Device_Enrolment.exe WebBrowserPassView.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UDO_Device_Enrolment.exe"C:\Users\Admin\AppData\Local\Temp\UDO_Device_Enrolment.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\temp\Windows32\WebBrowserPassView.exe"C:\temp\Windows32\WebBrowserPassView.exe" /stext HWID.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\temp\Windows32\WebBrowserPassView.exeFilesize
393KB
MD52024ea60da870a221db260482117258b
SHA1716554dc580a82cc17a1035add302c0766590964
SHA25653043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
SHA512ffcd4436b80169ba18db5b7c818c5da71661798963c0a5f5fbac99a6974a7729d38871e52bc36c766824dd54f2c8fa5711415ec45799db65c11293d8b829693b
-
C:\temp\Windows32\WebBrowserPassView.exeFilesize
393KB
MD52024ea60da870a221db260482117258b
SHA1716554dc580a82cc17a1035add302c0766590964
SHA25653043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56
SHA512ffcd4436b80169ba18db5b7c818c5da71661798963c0a5f5fbac99a6974a7729d38871e52bc36c766824dd54f2c8fa5711415ec45799db65c11293d8b829693b
-
memory/904-132-0x0000000000A40000-0x0000000000A78000-memory.dmpFilesize
224KB
-
memory/904-133-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmpFilesize
10.8MB
-
memory/904-134-0x0000000002B60000-0x0000000002B82000-memory.dmpFilesize
136KB
-
memory/904-138-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmpFilesize
10.8MB
-
memory/904-139-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmpFilesize
10.8MB
-
memory/4656-135-0x0000000000000000-mapping.dmp