Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
Resource
win10v2004-20220901-en
General
-
Target
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
-
Size
1.4MB
-
MD5
18d70788c8724bb9e0686d3a52e9e883
-
SHA1
8b89cbe1a61fe0810c89645d6ea93f782eb9a828
-
SHA256
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243
-
SHA512
1dee7870fe3c824a898c0e7b6401ba7b43b1ac45235304f0486baeb0b99a08760af6feaa5cf096ff38b90434bbb30ad402c0242fca0499a164448669db246a7f
-
SSDEEP
12288:h6ZiQImGoC2WX+vEL4J8e4zxtm3DnP1AczCZqWfAtUEvaalG19Taw/H5CkUmCxjH:qGkE68eOxMDnP1AczCZ54tUpMigkU3xz
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5096-137-0x0000000000400000-0x000000000063E000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe" 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exepid process 5096 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe -
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FlagsModifiedValid = 0000000000000000 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DefaultCompressedRecord = c880f97f7386e14b6153ca6eeb90598c6eda6228f404d951fcb219a46b8d343a57ce5651ab1fd736eeb3a7a95d6b5e4076046fd4b2ba9ce433c839998e4fc83aef63b1e8120662e976342f2762bad597c83b42b4f5677fa05436ceff143d87baff6b2a2b9e4df3 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\RecordModifiedMax = "DOKhOJaoxY/fwVxnn5vBP6fS+Azhm3XnSjqnr3YC+NWymHCQUwnZ4t3EtsM7WVwVxw==" 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exepid process 2328 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 5096 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exedescription pid process target process PID 2328 wrote to memory of 5096 2328 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe PID 2328 wrote to memory of 5096 2328 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe PID 2328 wrote to memory of 5096 2328 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe 9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"C:\Users\Admin\AppData\Local\Temp\9b7a5f8e32ce387646f5869798cb7d4d6b6773ad29be248339d6fc5ddbeee243.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2328-132-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/2328-136-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/5096-133-0x0000000000000000-mapping.dmp
-
memory/5096-134-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/5096-135-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB
-
memory/5096-137-0x0000000000400000-0x000000000063E000-memory.dmpFilesize
2.2MB