Analysis
-
max time kernel
91s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2022, 03:31
Behavioral task
behavioral1
Sample
4b1c147945fe5bfdae6963244e1d5537.exe
Resource
win7-20221111-en
General
-
Target
4b1c147945fe5bfdae6963244e1d5537.exe
-
Size
112KB
-
MD5
4b1c147945fe5bfdae6963244e1d5537
-
SHA1
b3da00798b6766a8ca45299a7b81c09a23ea8d70
-
SHA256
f55436dcdbac5a142f7fa360fa5eebdf4f91f5d5817b429cd5d0ea4e8a12e351
-
SHA512
df27feb3e55013698ec9b923c888264e102ba35b2905402bbffbf96c9916ffbb45d8e80a312b141994c61773245b0b9528f6cedc0a5e3cb251708d14ead99da9
-
SSDEEP
1536:jcYTGfy4+qfdqTxRXzuoaLAPqQDIfM3CNFJZyT9sygO8VhTv5kzbkmq0ND9+qh:gSGqrwXovJIMmtO8VMfq0j+qh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 4b1c147945fe5bfdae6963244e1d5537.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 4b1c147945fe5bfdae6963244e1d5537.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4b1c147945fe5bfdae6963244e1d5537.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeImpersonatePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeTcbPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeChangeNotifyPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeCreateTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeBackupPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeRestorePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeIncreaseQuotaPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeAssignPrimaryTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeImpersonatePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeTcbPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeChangeNotifyPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeCreateTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeBackupPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeRestorePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeIncreaseQuotaPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeAssignPrimaryTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeImpersonatePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeTcbPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeChangeNotifyPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeCreateTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeBackupPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeRestorePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeIncreaseQuotaPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeAssignPrimaryTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeImpersonatePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeTcbPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeChangeNotifyPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeCreateTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeBackupPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeRestorePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeIncreaseQuotaPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeAssignPrimaryTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeImpersonatePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeTcbPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeChangeNotifyPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeCreateTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeBackupPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeRestorePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeIncreaseQuotaPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeAssignPrimaryTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeImpersonatePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeTcbPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeChangeNotifyPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeCreateTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeBackupPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeRestorePrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeIncreaseQuotaPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe Token: SeAssignPrimaryTokenPrivilege 4824 4b1c147945fe5bfdae6963244e1d5537.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4824 wrote to memory of 1072 4824 4b1c147945fe5bfdae6963244e1d5537.exe 86 PID 4824 wrote to memory of 1072 4824 4b1c147945fe5bfdae6963244e1d5537.exe 86 PID 4824 wrote to memory of 1072 4824 4b1c147945fe5bfdae6963244e1d5537.exe 86 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4b1c147945fe5bfdae6963244e1d5537.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b1c147945fe5bfdae6963244e1d5537.exe"C:\Users\Admin\AppData\Local\Temp\4b1c147945fe5bfdae6963244e1d5537.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:4824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240592593.bat" "C:\Users\Admin\AppData\Local\Temp\4b1c147945fe5bfdae6963244e1d5537.exe" "2⤵PID:1072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b