Analysis
-
max time kernel
138s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
16/08/2023, 07:12
General
-
Target
ACCOUNTING STATEMENT.exe
-
Size
882KB
-
MD5
752f2c3589148fc83a4d602e4670faec
-
SHA1
84ae1cc5b764c406989a02818b3b33eba32359ec
-
SHA256
a5299852cbd114f85d0ef4a8605caf998214014e89348d7af5d9df0c096a8863
-
SHA512
e57d51d79b7130d745e7b752f30c1b4de07aaf009ad8325652e652711cb7b0760a75c26551dc266e300b5a29d982f3c588e0773d8205a9af82f17e7d2fb39794
-
SSDEEP
24576:M1YYRs6CE3jLMpppdpppppUO9Rs6CE3jLMpppdpppppUOIOguc02ZccLbB:KZRs6CE3jLbO9Rs6CE3jLbOQub2HPB
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACCOUNTING STATEMENT.exe"C:\Users\Admin\AppData\Local\Temp\ACCOUNTING STATEMENT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kawntyAd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\ACCOUNTING STATEMENT.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD5f1153853176c5cb25cb41d7709b65e2e
SHA1dee970ca74f005aad8efc72e10567288e93dadc3
SHA256c30d13cf63e219cf7148919b8a6564330302ddd49ee408d2bcbb3c4e8048f199
SHA512bba86c276e307fdc68497fc9e95a83222b0df6e3ca45728d7db7408f0cff4f7ce6aaa6c2e9925ca637f2ac9a01dca6cfcdf90f64e229ceb4a766908ac4200501
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
904KB
-
Filesize
264KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
7.7MB
-
Filesize
64KB