Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-01-2023 19:31
Behavioral task
behavioral1
Sample
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
Resource
win7-20220812-en
General
-
Target
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
-
Size
1.1MB
-
MD5
842ae8e819177105e1a1af934b1ee520
-
SHA1
17104eca148dcd0e15ffb31e4c7a3defdd406d12
-
SHA256
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
-
SHA512
b92ecfb5c89996332dd674682694a111aee2bc26b21678c9e60dc592272b91a0f6e9d2a478528b6f257290c5ef43ed9d87d7fac3b8314e768144951333e4916d
-
SSDEEP
24576:zXdmFGXOGXlTztlj3RbjO7jlUIixAWLc7ARpTLzVONY/tx4:rdfLVTLjxwjlQntT/VO2x4
Malware Config
Signatures
-
Processes:
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io 2 ipinfo.io -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exepid process 1884 F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe"C:\Users\Admin\AppData\Local\Temp\F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1884-54-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB