Analysis
-
max time kernel
121s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
24/10/2023, 19:54 UTC
General
-
Target
NEAS.50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8feexe_JC.exe
-
Size
935KB
-
MD5
2e450823db1430464efb84f8074cc84f
-
SHA1
88c86734e5de9f22154ca8c55cd141b2068e922f
-
SHA256
50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8fe
-
SHA512
20c2eedba61f776d90636ad6dae668ad9222c5eca9a69437587317321e3116591250b8327fd41079f892ef021fc7d37035dd1fb20617d2c8331fdab376973c2b
-
SSDEEP
24576:UpCvo/Sfhf/+5SxYn89JnMKFpn/9IUI7ighRKA2E4jKk:iX2f/LxYnonMKHn/9K71hRjrq
Malware Config
Signatures
-
PredatorStealer
Predator is a modular stealer written in C#.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8feexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8feexe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LUHgPxjH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LUHgPxjH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8feexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8feexe_JC.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8feexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.50e8e741266264cb161b567f8dbcd65bf8cdcfea296c9807dc00a9cae853b8feexe_JC.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\Zip.exe"C:\Users\Admin\AppData\Local\Temp\Zip.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1 -
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 19:56:13 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 35
X-Rl: 38
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 19:56:15 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 32
X-Rl: 37
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 19:56:18 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 30
X-Rl: 36
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 19:56:23 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 25
X-Rl: 35
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 19:56:25 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 23
X-Rl: 34
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
Host: ip-api.com
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 19:56:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 22
X-Rl: 33
-
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/HTTP Response
200HTTP Request
GET http://ip-api.com/json/HTTP Response
200HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/HTTP Response
200HTTP Request
GET http://ip-api.com/json/HTTP Response
200HTTP Request
GET http://ip-api.com/json/HTTP Response
200
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
4KB
MD5ffa713514357da41366480604e20e8b3
SHA1a674b688006ce32f8c49ea0c5067ed03c8694e04
SHA25641b448cff8bba381ac27892377d4592bbf221645c933b8255fabd123e03b67b1
SHA5124c8492125d6158a8315e0eb2f7cff2f41e189b01318c5a3c1198f2aff293ad10846ff5eebba6990019beb2472aa85520a97c0a5e83836b93771ccc8f8f85a3f0
-
Filesize
556B
MD5f4f30dacf35ab2560e7ccc7ccd428a7d
SHA1c23736ca8a559951ebefd4ea28999b4c3c66215f
SHA256c31f18c5c825c03a9cf29a833903faef69987da2eca12a5099962815687a535d
SHA51298a4121802476a57cd1afa137230909a953b5da47669ed0b28abc2799c328ec80e5472e642a02a9b84dbb2d53263cd8e60a4b524d6d350843b18f1ccaf895b09
-
Filesize
383KB
MD588dfccefb9e576e4725a458a5a3cf027
SHA112c85f7b7e5db819e96ebd78459ea630cafc1bfe
SHA256ef2b47cff14756cdf8bfe912a8cf5bfa1c25354cf452813bc51ca27b51bd8527
SHA512a3ec64733e5720fd407a6e070493e9e6c0bbd2fc75492464590154b65fb7d2ffaa47a1565b361845a2ad4b0e35e3acc2d80c17f0cbc263627c8a1da24826a96f
-
Filesize
325B
MD52365e08232be6eb66e7dc5c985a1dbc2
SHA179d994456b8c9c73da1bd79a038e8d1529614db4
SHA256be92762570f373f776835abcb546ea8264505f9bd5dc732e79fdc414e5089efe
SHA51233a258957774db27087a239ac1c0ff4edcc49d6549923f47fad91e2f367f3fce92b4379234ff348bc74390a1dfc4e29ee305dc42a986006d175201f4bd3eed25
-
Filesize
31KB
MD53afd64484a2a34fc34d1155747dd3847
SHA1451e1d878179f6fcfbaf9fa79d9ee8207489748f
SHA256bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9
SHA512d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448
-
Filesize
31KB
MD53afd64484a2a34fc34d1155747dd3847
SHA1451e1d878179f6fcfbaf9fa79d9ee8207489748f
SHA256bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9
SHA512d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448
-
Filesize
1KB
MD5ff69ca8f56b84bce3adabd1aae9c1508
SHA1b400009520baa6fa7f0357bce80324a221428b9d
SHA256c611fca0bf7e2050381ef14ca0fe68e56b4240b423cb16190918bebb1db69386
SHA5129c38770f8b633b39cb288c7e2c16f27882f6c84bee5659c290e29e3a779226adf1d6911b359a0c24a9f6678ea1867bbc526840b542ede82fe536e19ae02b3e1e
-
Filesize
31KB
MD53afd64484a2a34fc34d1155747dd3847
SHA1451e1d878179f6fcfbaf9fa79d9ee8207489748f
SHA256bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9
SHA512d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448
-
Filesize
512KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
6.9MB
-
Filesize
88KB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
808KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
952KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
576KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
576KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
576KB
-
Filesize
4KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
