Analysis
-
max time kernel
149s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 23:38
Static task
static1
Behavioral task
behavioral1
Sample
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe
Resource
win10v2004-20220812-en
General
-
Target
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe
-
Size
41KB
-
MD5
701c701ef29ad851a8c6f8f8dc667cc5
-
SHA1
57203040d4519bc62a5adabee9aca90e771f701c
-
SHA256
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983
-
SHA512
9d7c0c82903b97c70c825202178081bb9d88a1fcc06c6e657611f0ab9d6461dac46186dabfde47bf2c445150e025014fd18f078b56524739f1ded1e81a3bb192
-
SSDEEP
768:svvKhHGwo33s47TEIcv1byj+GzofKj4LwiDGq3KZ95HdoRbb7S:bhHZons47TEVtbe+lLnDPat9o
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exepid process 1376 5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exedescription pid process Token: SeDebugPrivilege 1376 5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe -
outlook_win_path 1 IoCs
Processes:
5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe"C:\Users\Admin\AppData\Local\Temp\5164f1e0d7c4f7c16d65c7f5dc8abe51986310081752024c3338ee01f011e983.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path