Resubmissions

12-10-2023 00:11

231012-agrg5sda3y 10

12-10-2023 00:05

231012-adk6yseh39 10

Analysis

  • max time kernel
    80s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 00:05

General

  • Target

    F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe

  • Size

    1.1MB

  • MD5

    842ae8e819177105e1a1af934b1ee520

  • SHA1

    17104eca148dcd0e15ffb31e4c7a3defdd406d12

  • SHA256

    f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c

  • SHA512

    b92ecfb5c89996332dd674682694a111aee2bc26b21678c9e60dc592272b91a0f6e9d2a478528b6f257290c5ef43ed9d87d7fac3b8314e768144951333e4916d

  • SSDEEP

    24576:zXdmFGXOGXlTztlj3RbjO7jlUIixAWLc7ARpTLzVONY/tx4:rdfLVTLjxwjlQntT/VO2x4

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
    "C:\Users\Admin\AppData\Local\Temp\F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    PID:4376
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3912-0-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-1-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-2-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-6-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-7-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-8-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-9-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-12-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-10-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB

  • memory/3912-11-0x0000024CF5000000-0x0000024CF5001000-memory.dmp

    Filesize

    4KB