b295631063a6186a09a9dfee224bca7af6d4ab1650e9d63cdc325cf3fe1cd3d6

Analysis

max time kernel
63s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-12-2022 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
Size

2.3MB
MD5

319e5fbf83add883095fef277ac8e092
SHA1

8ae961c6b93f01bb6d7927223041f2d18ed3a2f9
SHA256

b295631063a6186a09a9dfee224bca7af6d4ab1650e9d63cdc325cf3fe1cd3d6
SHA512

1acf3b45fea1141338539cd7d37ff77d56911a27446fc4e83abaea4da904208e644c3bfdb15b78e868472c88ddd6d684ad162c268c1b2c2dea50b3e810c19d11
SSDEEP

49152:D0h8WyLIxcxU0oQGqmIHyPFUI/G7y3NmbzoZAXCRWlR1ObMy5TKiM:D0htUIOxUXlIHuaf7y3gz1KbM

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1868 2020 WerFault.exe 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

pid process

2020 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

pid	pid_target	process	target process
1868	2020	WerFault.exe	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

pid	process
2020	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe

description	pid	process	target process
PID 2020 wrote to memory of 1868	2020	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe	WerFault.exe
PID 2020 wrote to memory of 1868	2020	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe	WerFault.exe
PID 2020 wrote to memory of 1868	2020	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe	WerFault.exe
PID 2020 wrote to memory of 1868	2020	8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
"C:\Users\Admin\AppData\Local\Temp\8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1388
2⤵
- Program crash
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-55-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download