Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/11/2022, 07:15
Static task
static1
Behavioral task
behavioral1
Sample
e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe
Resource
win10v2004-20221111-en
General
-
Target
e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe
-
Size
308KB
-
MD5
23593c82ae440590d4c9a0a94f7579f0
-
SHA1
97190bf0c30743ad89596b35708c36d2c5e312c1
-
SHA256
e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af
-
SHA512
53e86e367d77c26d2c8bc21840b5f89778a8e9b80981ca53df9dcc379b163859c8054d4efe639a81c860284caffb1f5870e3ddcd2b782b39fd590fdeee255640
-
SSDEEP
3072:KEYEyrGLLwOkFLEJ+0udjo85Ag0FuAYmwQ/+fN1lKTP5luhZjIY:RLLsB0YAOAc/YRwIY
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2020-55-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2020-56-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeTcbPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeChangeNotifyPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeCreateTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeBackupPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeRestorePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeIncreaseQuotaPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeAssignPrimaryTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeImpersonatePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeTcbPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeChangeNotifyPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeCreateTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeBackupPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeRestorePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeIncreaseQuotaPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeAssignPrimaryTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeImpersonatePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeTcbPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeChangeNotifyPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeCreateTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeBackupPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeRestorePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeIncreaseQuotaPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeAssignPrimaryTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeImpersonatePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeTcbPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeChangeNotifyPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeCreateTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeBackupPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeRestorePrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeIncreaseQuotaPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe Token: SeAssignPrimaryTokenPrivilege 2020 e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe"C:\Users\Admin\AppData\Local\Temp\e61448eafc85689c8e2eb6622bf8675230968654510a7720cb7e10874e0cf3af.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2020