Analysis
-
max time kernel
124s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2023 17:33
Behavioral task
behavioral1
Sample
Infected.exe
Resource
win10v2004-20231020-en
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
717dc78094e7b5c0fd501ace3341bfdc
-
SHA1
dfd728fa410cd296b37b9d8c04ad8bad3f9144cd
-
SHA256
ef43dced53ef25f2aca977c3c7417bf5b11c64129c8bc582aad7c292f73198d4
-
SHA512
98a2e5132057c2a203a0b4f817f014ec5544cd1880571dd62c7dc3bf74e58ffe4e018c63aaa6cd5f21401c60110bd501e97e51c0fa3a33d10dcbab70fc900ced
-
SSDEEP
768:VKO0JDEIM78K/fC8A+XOyazcBRL5JTk1+T4KSBGHmDbD/ph0oXDq3xWZD/0+Su7V:3VIGn1dSJYUbdh9DqhWpau7dpqKmY7
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3232
127.0.0.1:12956
127.0.0.1:11088
2.tcp.eu.ngrok.io:3232
2.tcp.eu.ngrok.io:12956
2.tcp.eu.ngrok.io:11088
6.tcp.eu.ngrok.io:3232
6.tcp.eu.ngrok.io:12956
6.tcp.eu.ngrok.io:11088
比sQ比kMczl西F开zeZR吉勒迪E
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000A00000-0x0000000000A16000-memory.dmp asyncrat behavioral1/memory/2208-8-0x000000001C550000-0x000000001C602000-memory.dmp asyncrat behavioral1/memory/2208-10-0x0000000002AB0000-0x0000000002AE2000-memory.dmp asyncrat behavioral1/memory/2208-11-0x000000001D700000-0x000000001D888000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 icanhazip.com 43 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Infected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Infected.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Infected.exepid process 2208 Infected.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Infected.exepid process 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe 2208 Infected.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Infected.exedescription pid process Token: SeDebugPrivilege 2208 Infected.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Infected.exepid process 2208 Infected.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Infected.execmd.execmd.exedescription pid process target process PID 2208 wrote to memory of 208 2208 Infected.exe cmd.exe PID 2208 wrote to memory of 208 2208 Infected.exe cmd.exe PID 208 wrote to memory of 4912 208 cmd.exe chcp.com PID 208 wrote to memory of 4912 208 cmd.exe chcp.com PID 208 wrote to memory of 4576 208 cmd.exe netsh.exe PID 208 wrote to memory of 4576 208 cmd.exe netsh.exe PID 208 wrote to memory of 4476 208 cmd.exe findstr.exe PID 208 wrote to memory of 4476 208 cmd.exe findstr.exe PID 2208 wrote to memory of 4116 2208 Infected.exe cmd.exe PID 2208 wrote to memory of 4116 2208 Infected.exe cmd.exe PID 4116 wrote to memory of 5108 4116 cmd.exe chcp.com PID 4116 wrote to memory of 5108 4116 cmd.exe chcp.com PID 4116 wrote to memory of 3840 4116 cmd.exe netsh.exe PID 4116 wrote to memory of 3840 4116 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe -
outlook_win_path 1 IoCs
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2208 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4912
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:4576
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:4476
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:5108
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵PID:3840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize4KB
MD573fea31b1dff2ced7f9df18ec430f331
SHA193a18a6fdc057056f29c7e96902d1eaf9312f07f
SHA256f92915be652ad66e4e4de872fbe105ab5539e506b7df93198cd861527acee80e
SHA5121ef151be4999286ea01cf968874e7209c8e01ee2347bc896a1fb30dcab50362947d0377e03a45fbf75af53881706464ab209c90fb13f2fdd81ab763fe59a7a06
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize1KB
MD53c7c990c1c744b60da3c4a69f11b5e66
SHA1d43129f475d3f03778d26c381b447ff6fd3a8e32
SHA256fb906dddef14bd3419faa23f44e3dcf1f6f5f08e75274f0f936b6c982940569a
SHA512e15abe9b074c648bc8613db17a1580bfa73ea909a0d1a06943c1ab2d25b5c243bdd3c404aef70a689e573c611579b23fdf713d992c39c46d74c45e8190ad63d2