Analysis
-
max time kernel
63s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-12-2022 20:50
Behavioral task
behavioral1
Sample
8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
Resource
win7-20220812-en
General
-
Target
8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe
-
Size
2.3MB
-
MD5
319e5fbf83add883095fef277ac8e092
-
SHA1
8ae961c6b93f01bb6d7927223041f2d18ed3a2f9
-
SHA256
b295631063a6186a09a9dfee224bca7af6d4ab1650e9d63cdc325cf3fe1cd3d6
-
SHA512
1acf3b45fea1141338539cd7d37ff77d56911a27446fc4e83abaea4da904208e644c3bfdb15b78e868472c88ddd6d684ad162c268c1b2c2dea50b3e810c19d11
-
SSDEEP
49152:D0h8WyLIxcxU0oQGqmIHyPFUI/G7y3NmbzoZAXCRWlR1ObMy5TKiM:D0htUIOxUXlIHuaf7y3gz1KbM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io 7 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1868 2020 WerFault.exe 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exepid process 2020 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exedescription pid process target process PID 2020 wrote to memory of 1868 2020 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe WerFault.exe PID 2020 wrote to memory of 1868 2020 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe WerFault.exe PID 2020 wrote to memory of 1868 2020 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe WerFault.exe PID 2020 wrote to memory of 1868 2020 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe"C:\Users\Admin\AppData\Local\Temp\8ae961c6b93f01bb6d7927223041f2d18ed3a2f9.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 13882⤵
- Program crash