Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 09:20
Behavioral task
behavioral1
Sample
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe
Resource
win7-20221111-en
General
-
Target
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe
-
Size
1.1MB
-
MD5
842ae8e819177105e1a1af934b1ee520
-
SHA1
17104eca148dcd0e15ffb31e4c7a3defdd406d12
-
SHA256
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
-
SHA512
b92ecfb5c89996332dd674682694a111aee2bc26b21678c9e60dc592272b91a0f6e9d2a478528b6f257290c5ef43ed9d87d7fac3b8314e768144951333e4916d
-
SSDEEP
24576:zXdmFGXOGXlTztlj3RbjO7jlUIixAWLc7ARpTLzVONY/tx4:rdfLVTLjxwjlQntT/VO2x4
Malware Config
Signatures
-
Processes:
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 5 ipinfo.io -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exepid process 4828 f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe 4828 f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe"C:\Users\Admin\AppData\Local\Temp\f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses