Analysis
-
max time kernel
202s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:52
Static task
static1
Behavioral task
behavioral1
Sample
94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe
Resource
win10v2004-20221111-en
General
-
Target
94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe
-
Size
476KB
-
MD5
4ebc24f4abf40feb4086fc68dd348a59
-
SHA1
c66b0e306b536c7768cc75fb304bd02f691c072f
-
SHA256
94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1
-
SHA512
073fbe17fe486fb8711f5a47b6c140687fbcd5f39c84779343b666087b2bd26131bfb5611b622bfc47fe76f6edef1fd5db2ef2a2edbc587981dedfb9367b17ce
-
SSDEEP
3072:aFfMwbfLTh7N5a8cPl1UHFbPdrLWg5nxipwmOxwOyp0wFlTHNcN3z:aVM8LVUl0b1rLWgtYbO+OK7G
Malware Config
Signatures
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts iexplore.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exedescription pid process target process PID 4056 set thread context of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
iexplore.exedescription pid process Token: SeImpersonatePrivilege 4312 iexplore.exe Token: SeTcbPrivilege 4312 iexplore.exe Token: SeChangeNotifyPrivilege 4312 iexplore.exe Token: SeCreateTokenPrivilege 4312 iexplore.exe Token: SeBackupPrivilege 4312 iexplore.exe Token: SeRestorePrivilege 4312 iexplore.exe Token: SeIncreaseQuotaPrivilege 4312 iexplore.exe Token: SeAssignPrimaryTokenPrivilege 4312 iexplore.exe Token: SeImpersonatePrivilege 4312 iexplore.exe Token: SeTcbPrivilege 4312 iexplore.exe Token: SeChangeNotifyPrivilege 4312 iexplore.exe Token: SeCreateTokenPrivilege 4312 iexplore.exe Token: SeBackupPrivilege 4312 iexplore.exe Token: SeRestorePrivilege 4312 iexplore.exe Token: SeIncreaseQuotaPrivilege 4312 iexplore.exe Token: SeAssignPrimaryTokenPrivilege 4312 iexplore.exe Token: SeImpersonatePrivilege 4312 iexplore.exe Token: SeTcbPrivilege 4312 iexplore.exe Token: SeChangeNotifyPrivilege 4312 iexplore.exe Token: SeCreateTokenPrivilege 4312 iexplore.exe Token: SeBackupPrivilege 4312 iexplore.exe Token: SeRestorePrivilege 4312 iexplore.exe Token: SeIncreaseQuotaPrivilege 4312 iexplore.exe Token: SeAssignPrimaryTokenPrivilege 4312 iexplore.exe Token: SeImpersonatePrivilege 4312 iexplore.exe Token: SeTcbPrivilege 4312 iexplore.exe Token: SeChangeNotifyPrivilege 4312 iexplore.exe Token: SeCreateTokenPrivilege 4312 iexplore.exe Token: SeBackupPrivilege 4312 iexplore.exe Token: SeRestorePrivilege 4312 iexplore.exe Token: SeIncreaseQuotaPrivilege 4312 iexplore.exe Token: SeAssignPrimaryTokenPrivilege 4312 iexplore.exe Token: SeImpersonatePrivilege 4312 iexplore.exe Token: SeTcbPrivilege 4312 iexplore.exe Token: SeChangeNotifyPrivilege 4312 iexplore.exe Token: SeCreateTokenPrivilege 4312 iexplore.exe Token: SeBackupPrivilege 4312 iexplore.exe Token: SeRestorePrivilege 4312 iexplore.exe Token: SeIncreaseQuotaPrivilege 4312 iexplore.exe Token: SeAssignPrimaryTokenPrivilege 4312 iexplore.exe Token: SeImpersonatePrivilege 4312 iexplore.exe Token: SeTcbPrivilege 4312 iexplore.exe Token: SeChangeNotifyPrivilege 4312 iexplore.exe Token: SeCreateTokenPrivilege 4312 iexplore.exe Token: SeBackupPrivilege 4312 iexplore.exe Token: SeRestorePrivilege 4312 iexplore.exe Token: SeIncreaseQuotaPrivilege 4312 iexplore.exe Token: SeAssignPrimaryTokenPrivilege 4312 iexplore.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exeiexplore.exedescription pid process target process PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4056 wrote to memory of 4312 4056 94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe iexplore.exe PID 4312 wrote to memory of 4640 4312 iexplore.exe cmd.exe PID 4312 wrote to memory of 4640 4312 iexplore.exe cmd.exe PID 4312 wrote to memory of 4640 4312 iexplore.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe"C:\Users\Admin\AppData\Local\Temp\94b6c71a9fb5a2a08fc4f290b8814fa96943ca44597a3d5452fa170da6a4ead1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240651281.bat" "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "3⤵PID:4640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240651281.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/4640-132-0x0000000000000000-mapping.dmp