Analysis
-
max time kernel
218s -
max time network
307s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe
Resource
win10v2004-20220812-en
General
-
Target
442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe
-
Size
170KB
-
MD5
f5a7b3f623d6cfe9876fb0674e3be2d7
-
SHA1
126932e084a7ce0b36a4529e20d83e67fc8b62c8
-
SHA256
442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9
-
SHA512
a6c22ebccb290418d692c605d6b3afaebd7e537482ab9fae67c2914ecab0c2ac508220ac586d364d2f5207468a949b0f0317d658a2da4e83ceadaf74bea3b386
-
SSDEEP
3072:iXJ/cm7pBFYVJo5UirIEuGAQNCfW3Ouk5CINHrZaKjce+sLT:I1/1B+wR3v1NyWeuuBNHgK/
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exedescription pid process Token: SeImpersonatePrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe Token: SeTcbPrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe Token: SeChangeNotifyPrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe Token: SeCreateTokenPrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe Token: SeBackupPrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe Token: SeRestorePrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe Token: SeIncreaseQuotaPrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe Token: SeAssignPrimaryTokenPrivilege 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exepid process 1516 442e8c78d497753e7fab621b5077309186fcf8ffc9fa6f0ccf8043135be3fab9.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1516-54-0x0000000076931000-0x0000000076933000-memory.dmpFilesize
8KB
-
memory/1516-55-0x0000000000250000-0x0000000000267000-memory.dmpFilesize
92KB
-
memory/1516-56-0x0000000000310000-0x0000000000340000-memory.dmpFilesize
192KB
-
memory/1516-57-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1516-58-0x0000000000310000-0x0000000000340000-memory.dmpFilesize
192KB
-
memory/1516-59-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB