Analysis
-
max time kernel
272s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2023 19:38
Behavioral task
behavioral1
Sample
Infected.exe
Resource
win10v2004-20231023-en
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
084a0b3d22d5b3ae05371719f735f0fd
-
SHA1
539123d7d9d0ca6f44886e4ae4d1d575d1b34d8a
-
SHA256
c6a33b915259179c2c19ad2cc0477a0e6e6d08baca8d7dca485fc1bcf13808ec
-
SHA512
079b458a18e696af9b2439be8ab06cd257e00a4bc2984c45875087868842e2537ed344eee1dadbb9e37c8de045031d9b9c08db4727d453f66ebf812c24095d09
-
SSDEEP
768:Cm0vnfEXf78awC8A+XU2azcBRL5JTk1+T4KSBGHmDbD/ph0oXk21KFySPXSusdph:qEXiLdSJYUbdh9R12ySPCusdpqKmY7
Malware Config
Extracted
asyncrat
Default
agent-thumbnail.gl.at.ply.gg:21402
sb4Γs8xuwz比sQRMiΒo0艾e艾
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2868-0-0x00000000007D0000-0x00000000007E6000-memory.dmp asyncrat behavioral1/memory/2868-10-0x000000001D2F0000-0x000000001D478000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 90 ip-api.com 87 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Infected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Infected.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Infected.exepid process 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe 2868 Infected.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Infected.exedescription pid process Token: SeDebugPrivilege 2868 Infected.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Infected.execmd.execmd.exedescription pid process target process PID 2868 wrote to memory of 552 2868 Infected.exe cmd.exe PID 2868 wrote to memory of 552 2868 Infected.exe cmd.exe PID 552 wrote to memory of 872 552 cmd.exe chcp.com PID 552 wrote to memory of 872 552 cmd.exe chcp.com PID 552 wrote to memory of 5068 552 cmd.exe netsh.exe PID 552 wrote to memory of 5068 552 cmd.exe netsh.exe PID 552 wrote to memory of 3668 552 cmd.exe findstr.exe PID 552 wrote to memory of 3668 552 cmd.exe findstr.exe PID 2868 wrote to memory of 3160 2868 Infected.exe cmd.exe PID 2868 wrote to memory of 3160 2868 Infected.exe cmd.exe PID 3160 wrote to memory of 3952 3160 cmd.exe chcp.com PID 3160 wrote to memory of 3952 3160 cmd.exe chcp.com PID 3160 wrote to memory of 4440 3160 cmd.exe netsh.exe PID 3160 wrote to memory of 4440 3160 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe -
outlook_win_path 1 IoCs
Processes:
Infected.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Infected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2868 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:872
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:5068
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:3668
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3952
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵PID:4440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\957b65dc9ff4dfdf0fc76aada1e55ec9\Admin@FEUTZCII_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\957b65dc9ff4dfdf0fc76aada1e55ec9\Admin@FEUTZCII_en-US\System\Process.txt
Filesize4KB
MD5de769046c672e8f33dc5333c79312590
SHA15adcae6f4048dbb64725ad15d8d1270c4e055926
SHA25621cab09f31a298d3ef2c4df90e0d505aab5017da6383dc8e34d3184ec574c87d
SHA512f26558591b001651eb08261e445b068add9b78e0be1448cc5618eb9bd1b076bf4400fe3f2be14391695d46a4eed6b017030f44571bcf99650ce477c5b06b5084