Analysis
-
max time kernel
127s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
03/08/2023, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134exe_JC.exe
Resource
win7-20230712-en
General
-
Target
555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134exe_JC.exe
-
Size
751KB
-
MD5
b50354e22ebf21378aea9d4299ff6ce4
-
SHA1
95513268c15501a05404780e6f5b75fa5b971f3b
-
SHA256
555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134
-
SHA512
9f30d4000d5762f0faa9806405b15343b7617b4d281a954f226138f03950104add66233f48332b8aa9071f5c61116a51e7bb610d576d9a74a19acba8d9120940
-
SSDEEP
6144:dN8wfhgxnv8RP/UDYRYHzu5+wF5qMU2WeBP+iyGm6elLosk81V99oJDFYB1OvbTj:iiyWer994Ys35EN3CwhJnNFfacO
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5040 555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134exe_JC.exe 5040 555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5040 555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134exe_JC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\555af21b8831e78e3b1313dda0d2924af9507c4e701b6b42d0777d28a9405134exe_JC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040