Analysis
-
max time kernel
152s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 00:29
Static task
static1
Behavioral task
behavioral1
Sample
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
Resource
win10v2004-20221111-en
General
-
Target
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe
-
Size
120KB
-
MD5
9e2d5116462c18c2a8b0dcb7bd88e9ca
-
SHA1
74ca2e701aae44413e3706a37ff44ebbe6c0e19d
-
SHA256
ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
-
SHA512
43da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3
-
SSDEEP
1536:WlnMg9bWAdy4nHfUHD28+we3cotuFDcF4DfQKRx50KVT4iKEFXvxKqHs:WlNsAdy4n/UKw4co9FMfQeN/Xey
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 1108 inetinfo.exe -
Loads dropped DLL 2 IoCs
pid Process 1148 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 1148 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\inet32 = "C:\\ProgramData\\Application Data\\inetinfo.exe" ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 1972 net.exe 752 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 804 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1064 NETSTAT.EXE 1996 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1212 systeminfo.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1064 NETSTAT.EXE Token: SeDebugPrivilege 804 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1108 1148 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 28 PID 1148 wrote to memory of 1108 1148 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 28 PID 1148 wrote to memory of 1108 1148 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 28 PID 1148 wrote to memory of 1108 1148 ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe 28 PID 1108 wrote to memory of 588 1108 inetinfo.exe 29 PID 1108 wrote to memory of 588 1108 inetinfo.exe 29 PID 1108 wrote to memory of 588 1108 inetinfo.exe 29 PID 1108 wrote to memory of 588 1108 inetinfo.exe 29 PID 588 wrote to memory of 1212 588 cmd.exe 31 PID 588 wrote to memory of 1212 588 cmd.exe 31 PID 588 wrote to memory of 1212 588 cmd.exe 31 PID 588 wrote to memory of 1212 588 cmd.exe 31 PID 588 wrote to memory of 996 588 cmd.exe 34 PID 588 wrote to memory of 996 588 cmd.exe 34 PID 588 wrote to memory of 996 588 cmd.exe 34 PID 588 wrote to memory of 996 588 cmd.exe 34 PID 996 wrote to memory of 1832 996 net.exe 35 PID 996 wrote to memory of 1832 996 net.exe 35 PID 996 wrote to memory of 1832 996 net.exe 35 PID 996 wrote to memory of 1832 996 net.exe 35 PID 588 wrote to memory of 2032 588 cmd.exe 36 PID 588 wrote to memory of 2032 588 cmd.exe 36 PID 588 wrote to memory of 2032 588 cmd.exe 36 PID 588 wrote to memory of 2032 588 cmd.exe 36 PID 2032 wrote to memory of 944 2032 net.exe 37 PID 2032 wrote to memory of 944 2032 net.exe 37 PID 2032 wrote to memory of 944 2032 net.exe 37 PID 2032 wrote to memory of 944 2032 net.exe 37 PID 588 wrote to memory of 1916 588 cmd.exe 38 PID 588 wrote to memory of 1916 588 cmd.exe 38 PID 588 wrote to memory of 1916 588 cmd.exe 38 PID 588 wrote to memory of 1916 588 cmd.exe 38 PID 1916 wrote to memory of 1060 1916 net.exe 39 PID 1916 wrote to memory of 1060 1916 net.exe 39 PID 1916 wrote to memory of 1060 1916 net.exe 39 PID 1916 wrote to memory of 1060 1916 net.exe 39 PID 588 wrote to memory of 1972 588 cmd.exe 40 PID 588 wrote to memory of 1972 588 cmd.exe 40 PID 588 wrote to memory of 1972 588 cmd.exe 40 PID 588 wrote to memory of 1972 588 cmd.exe 40 PID 588 wrote to memory of 752 588 cmd.exe 41 PID 588 wrote to memory of 752 588 cmd.exe 41 PID 588 wrote to memory of 752 588 cmd.exe 41 PID 588 wrote to memory of 752 588 cmd.exe 41 PID 588 wrote to memory of 1100 588 cmd.exe 42 PID 588 wrote to memory of 1100 588 cmd.exe 42 PID 588 wrote to memory of 1100 588 cmd.exe 42 PID 588 wrote to memory of 1100 588 cmd.exe 42 PID 1100 wrote to memory of 552 1100 net.exe 43 PID 1100 wrote to memory of 552 1100 net.exe 43 PID 1100 wrote to memory of 552 1100 net.exe 43 PID 1100 wrote to memory of 552 1100 net.exe 43 PID 588 wrote to memory of 1064 588 cmd.exe 44 PID 588 wrote to memory of 1064 588 cmd.exe 44 PID 588 wrote to memory of 1064 588 cmd.exe 44 PID 588 wrote to memory of 1064 588 cmd.exe 44 PID 588 wrote to memory of 804 588 cmd.exe 45 PID 588 wrote to memory of 804 588 cmd.exe 45 PID 588 wrote to memory of 804 588 cmd.exe 45 PID 588 wrote to memory of 804 588 cmd.exe 45 PID 588 wrote to memory of 1996 588 cmd.exe 46 PID 588 wrote to memory of 1996 588 cmd.exe 46 PID 588 wrote to memory of 1996 588 cmd.exe 46 PID 588 wrote to memory of 1996 588 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe"C:\Users\Admin\AppData\Local\Temp\ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\ProgramData\Application Data\inetinfo.exe"C:\ProgramData\Application Data\inetinfo.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\info.bat3⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1212
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵PID:1832
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:944
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵PID:1060
-
-
-
C:\Windows\SysWOW64\net.exenet view4⤵
- Discovers systems in the same network
PID:1972
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- Discovers systems in the same network
PID:752
-
-
C:\Windows\SysWOW64\net.exenet user /domain4⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /domain5⤵PID:552
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1996
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵PID:896
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD59e2d5116462c18c2a8b0dcb7bd88e9ca
SHA174ca2e701aae44413e3706a37ff44ebbe6c0e19d
SHA256ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
SHA51243da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3
-
Filesize
581B
MD552b5878fbe8ecfafe96177c8001328b7
SHA13bc5f0fe87c76ed056e940dfcfaa176397527d94
SHA2562ce2bccf6b09a3b49aafe4306b378fe0f4dea8f1104c1a0dfc060af5945f37db
SHA512d6284b5b081887a2773cd4d459c225d9952b4f28551ea98f2463ef70009443bc75138fb6e5a871a14ab7935102e57b3cbc8310cafc1d97f530ed9a8ac6c4dd5c
-
Filesize
120KB
MD59e2d5116462c18c2a8b0dcb7bd88e9ca
SHA174ca2e701aae44413e3706a37ff44ebbe6c0e19d
SHA256ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
SHA51243da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3
-
Filesize
120KB
MD59e2d5116462c18c2a8b0dcb7bd88e9ca
SHA174ca2e701aae44413e3706a37ff44ebbe6c0e19d
SHA256ced4ccbb2cf94c8413da7ec41eeb9c404840c50de096a788024e9828db55ca50
SHA51243da95509dfebfc6908e0fdd27c22c1e4e806b814103cb1c53386e0e4da222c4b918a7050c5eb2941a9110042de0d0f2de95a6086b64b22aebef4ce796344ee3