Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2023 19:55

General

  • Target

    e4d9015e2bed3af0480b51231b68bb23.exe

  • Size

    194KB

  • MD5

    e4d9015e2bed3af0480b51231b68bb23

  • SHA1

    c148f8cc0d8930602a00155cc0f370d2e22a811a

  • SHA256

    893f1df3f71f13731482f53655a5f6470ee00eae87f84e31da4af2950df80cef

  • SHA512

    5bc66c3aac2497c2e3df851dc75011cf529a0fd76ab18280a626c4a2975b07e740ed74cbb6afe9b4ea518d4a2772f5783120c3881ff551ef2be14abb0842c665

  • SSDEEP

    6144:+rdOfeBDRzseSmV7v2PCc4gorppZiG73TAW:+rdOfeia79

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
    "C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe"
    Checks computer location settings
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      PID:2900
    • C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      PID:4408
    • C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      PID:2104
    • C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      PID:2124
    • C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4868

Network

MITRE ATT&CK Matrix

Command and Control

Defense Evasion

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e4d9015e2bed3af0480b51231b68bb23.exe.log
    Filesize

    1KB

    MD5

    13b08803e0bb671919478d178f19d6e2

    SHA1

    9f8c1d2a16446f9ee1e3244f48d372aecccf4dd9

    SHA256

    bab001392f6a9fc257a302cf557c9f571c7b352f41aedda14b049976ee5fd1c9

    SHA512

    2fe208b9958329734a5c6ce6aa526ee20d2c02d351927e75f85f27c2ffdc3c9e3413c17dc6e0dd9eefc3fb379e936b6bef2984a6e44ffafdc7600f590398016f

  • memory/1036-132-0x0000000000390000-0x00000000003C6000-memory.dmp
    Filesize

    216KB

  • memory/1036-133-0x0000000007660000-0x0000000007682000-memory.dmp
    Filesize

    136KB

  • memory/1036-143-0x000000002A620000-0x000000002ABC4000-memory.dmp
    Filesize

    5MB

  • memory/1036-142-0x0000000005770000-0x0000000005802000-memory.dmp
    Filesize

    584KB

  • memory/1792-137-0x0000000006110000-0x0000000006176000-memory.dmp
    Filesize

    408KB

  • memory/1792-139-0x0000000006820000-0x000000000683E000-memory.dmp
    Filesize

    120KB

  • memory/1792-140-0x0000000008090000-0x000000000870A000-memory.dmp
    Filesize

    6MB

  • memory/1792-141-0x0000000006D20000-0x0000000006D3A000-memory.dmp
    Filesize

    104KB

  • memory/1792-136-0x00000000058C0000-0x0000000005EE8000-memory.dmp
    Filesize

    6MB

  • memory/1792-135-0x0000000005250000-0x0000000005286000-memory.dmp
    Filesize

    216KB

  • memory/1792-134-0x0000000000000000-mapping.dmp
  • memory/1792-138-0x00000000061F0000-0x0000000006256000-memory.dmp
    Filesize

    408KB

  • memory/2104-146-0x0000000000000000-mapping.dmp
  • memory/2124-147-0x0000000000000000-mapping.dmp
  • memory/2900-144-0x0000000000000000-mapping.dmp
  • memory/4408-145-0x0000000000000000-mapping.dmp
  • memory/4868-148-0x0000000000000000-mapping.dmp
  • memory/4868-149-0x0000000000400000-0x00000000004D8000-memory.dmp
    Filesize

    864KB

  • memory/4868-151-0x0000000008370000-0x000000000837A000-memory.dmp
    Filesize

    40KB

  • memory/4868-152-0x00000000087F0000-0x0000000008802000-memory.dmp
    Filesize

    72KB