1bb662d598172326e5ddd54f879bae3a6fea58742af0f44bd3934003da625384

Resubmissions

05/10/2023, 14:00

231005-raznlsdd59 4

30/09/2023, 17:52

230930-wf1kbaga24 7

30/09/2023, 17:50

230930-went5aee6t 7

30/09/2023, 17:07

230930-vmytmaeb71 3

Analysis

max time kernel
18s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.bin.exe
Size

5.7MB
MD5

fd2d84bee10bbccb7b590e1025752873
SHA1

c0fbb34903a19dcf4591ba7f88c3995d183fefe8
SHA256

1bb662d598172326e5ddd54f879bae3a6fea58742af0f44bd3934003da625384
SHA512

87ed02ad109845b34f8f70237a2e3a51f607dac89e795f1c3b5fad019630c2a2756c2be51c7f25e04c2d4246b68803ef2b43c002155a3d660a2f66911c891add
SSDEEP

98304:3453W8vYIC+RgZkKIXfEIeYUAlLc3A6fv4i/NTJVLpxrOw1xitse3Jk9yfPDnmY:o53W83p5XfEI5WNn4QNtVLXrOw2TSsfS

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
364	loader.bin.exe
364	loader.bin.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: 36	2596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: 36	2596	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 3464	364	loader.bin.exe	85
PID 364 wrote to memory of 3464	364	loader.bin.exe	85
PID 364 wrote to memory of 2684	364	loader.bin.exe	86
PID 364 wrote to memory of 2684	364	loader.bin.exe	86
PID 364 wrote to memory of 2236	364	loader.bin.exe	87
PID 364 wrote to memory of 2236	364	loader.bin.exe	87
PID 364 wrote to memory of 4396	364	loader.bin.exe	88
PID 364 wrote to memory of 4396	364	loader.bin.exe	88
PID 364 wrote to memory of 4080	364	loader.bin.exe	89
PID 364 wrote to memory of 4080	364	loader.bin.exe	89
PID 4080 wrote to memory of 2596	4080	cmd.exe	90
PID 4080 wrote to memory of 2596	4080	cmd.exe	90
PID 364 wrote to memory of 1624	364	loader.bin.exe	91
PID 364 wrote to memory of 1624	364	loader.bin.exe	91
PID 364 wrote to memory of 1692	364	loader.bin.exe	92
PID 364 wrote to memory of 1692	364	loader.bin.exe	92
PID 364 wrote to memory of 2412	364	loader.bin.exe	94
PID 364 wrote to memory of 2412	364	loader.bin.exe	94
PID 364 wrote to memory of 1620	364	loader.bin.exe	95
PID 364 wrote to memory of 1620	364	loader.bin.exe	95
PID 364 wrote to memory of 3308	364	loader.bin.exe	96
PID 364 wrote to memory of 3308	364	loader.bin.exe	96
PID 364 wrote to memory of 3348	364	loader.bin.exe	97
PID 364 wrote to memory of 3348	364	loader.bin.exe	97

C:\Users\Admin\AppData\Local\Temp\loader.bin.exe
"C:\Users\Admin\AppData\Local\Temp\loader.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get product
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get product
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-0-0x0000000002010000-0x0000000002110000-memory.dmp

Filesize
1024KB

Download