Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-12-2022 14:35
General
-
Target
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
-
Size
70KB
-
MD5
4a9e537690c47b80219ef48d07dfcd86
-
SHA1
2357224b7f59940c77015ca600e02615b5128cfc
-
SHA256
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
-
SHA512
55ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
-
SSDEEP
768:QkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:tkQJcqwmIfj+ECJG/kvO
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe"C:\Users\Admin\AppData\Local\Temp\c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD54a9e537690c47b80219ef48d07dfcd86
SHA12357224b7f59940c77015ca600e02615b5128cfc
SHA256c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
SHA51255ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
-
Filesize
70KB
MD54a9e537690c47b80219ef48d07dfcd86
SHA12357224b7f59940c77015ca600e02615b5128cfc
SHA256c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
SHA51255ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
-
Filesize
49B
MD5f2ae9d5ddaf95dff879bcdd2482dadb5
SHA178241ac1e0128dea22b5f72f3ad6601b9f1b48b5
SHA256ca10a19f1be0c3bc16acf0afb3edc842f550729725a22feeb1a7b0ce3bb0d9e0
SHA512712b9dbb1110e5006255c6e7732e83966a71c8503b97e63aeedd666ef69591585d232c905314b961bffc6f0685ab114c8c5f57222670a707ef8b86bcedfca0ce
-
Filesize
10B
MD53594ed70083b6e10efbfbcd4142b6454
SHA159b91832fc3778d2dba62642935c61fb768c760c
SHA256c1aead592e2eb892263a7b1a7ca36484c73013be81dda18ccbe6a35138799823
SHA512418466d5b10ba557bdb229cfcf7e190e7cedd9fd52a72e2591f78fc1c5c983b04c60c9307e8919c3d7e366d71c54a325d4f20e4ad4850677b115ca9c562d0586
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB