Resubmissions
10-08-2023 13:02
230810-p92wxach32 8Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2023 13:02
Static task
static1
Behavioral task
behavioral1
Sample
24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe
Resource
win7-20230712-en
General
-
Target
24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe
-
Size
419KB
-
MD5
d811a57bc0e8b86b449277f9ffb50cc9
-
SHA1
cdab34eea2dfd5e96412e34c0b3eb090a9661377
-
SHA256
24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161
-
SHA512
5b569f0cebdc006125ac37ee0e333a22a35189214b5c2ab05671e7c307936c1d121a9afd7c48ce5283435c755d82110ce70adffd4e20570c3d4f4680962a7dfa
-
SSDEEP
12288:ZvtSEEuEE3EEMEEzEE5EEOEEmEEAEE2EE6EE3EERhXz+MbfR1nYm4BJ1B4ywtT5m:Zvtk
Malware Config
Signatures
-
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 3032 24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe 3032 24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe 3032 24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3032 24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3032 24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe"C:\Users\Admin\AppData\Local\Temp\24bd790bc9427021121ec0e318db93369c2d893e40309f7083f178d3a5819161.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b