Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
04/10/2023, 17:41
General
-
Target
MadPassExt.exe
-
Size
621KB
-
MD5
d7f3266975644f3797964e044e5b8d5f
-
SHA1
6c053110d4087e013bc341115fbaa84a750a4057
-
SHA256
ac59a704d8652db5ae64c9c4a255157a3e2f1c577307d31b74df496ce4b43bef
-
SHA512
ee3f3f0bc0f666ddbfffcd8226f6a5a32ba0094bc0489371167fbca52820081e81e4140174e40b1edca1bb90066d28e70b14eccc875c6a0845ebbfa384ed9a65
-
SSDEEP
12288:o6IHCy7/eEkxewViP8Dd4N8DNCcJDOCDLy+QuH0h:3yT24wViP8Dd4N8DNCSr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MadPassExt.exe"C:\Users\Admin\AppData\Local\Temp\MadPassExt.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Media Center Programs\3G8VCWNY.exe"C:\Users\Admin\AppData\Roaming\Media Center Programs\3G8VCWNY.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\774229213\7F0AGKWA.exe"C:\Users\Admin\AppData\Local\Temp\774229213\7F0AGKWA.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183KB
MD5f69ffc7c810923b24cdbdd4fa63a7dd7
SHA1897bdce096c1686849682ed22657b56345ac5e09
SHA256cd839b176a5432c67eaca745ce38ea0ef25326646a31c34febe4b8fb3f35cc7c
SHA512dd50cdec94fc61ba34bcc0ce473f2483b4d7cf5d1338902b9c2c16520228702c5fac6984ec3c9b541ad0e94efc4534fbc3c4780568b038ebb7303107ff5cb97b
-
Filesize
183KB
MD5f69ffc7c810923b24cdbdd4fa63a7dd7
SHA1897bdce096c1686849682ed22657b56345ac5e09
SHA256cd839b176a5432c67eaca745ce38ea0ef25326646a31c34febe4b8fb3f35cc7c
SHA512dd50cdec94fc61ba34bcc0ce473f2483b4d7cf5d1338902b9c2c16520228702c5fac6984ec3c9b541ad0e94efc4534fbc3c4780568b038ebb7303107ff5cb97b
-
Filesize
46KB
MD51d4cedae1f44f41d5e449680d0d08686
SHA14bfe0787e66c181920a462f805b0652e7c22e2c2
SHA256a0a0c256070d7dc62a260ca36cf25b08521d8c35f2ac6f93224854cc538b564a
SHA5127cd2875e9769d5dc02e99709e1762abf2d3cbac96051427f87be855d8d0886855d3805ffabca0f8dbdef357b509a0d292904c269f8f00a781f793f84c82fa93a
-
Filesize
46KB
MD51d4cedae1f44f41d5e449680d0d08686
SHA14bfe0787e66c181920a462f805b0652e7c22e2c2
SHA256a0a0c256070d7dc62a260ca36cf25b08521d8c35f2ac6f93224854cc538b564a
SHA5127cd2875e9769d5dc02e99709e1762abf2d3cbac96051427f87be855d8d0886855d3805ffabca0f8dbdef357b509a0d292904c269f8f00a781f793f84c82fa93a
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
640KB
-
Filesize
6.9MB
-
Filesize
208KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
40KB
-
Filesize
256KB
-
Filesize
256KB