Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2023 23:18
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231023-en
General
-
Target
file.exe
-
Size
1.6MB
-
MD5
31b1bcb00fc84608f8e7c0fd6bbd38cd
-
SHA1
a3fd59178d472d08811f21abb92bfe80543b851a
-
SHA256
2c507279c680c935a07e01c7a49cd6f971495bb337feafe6b9f094766ddc639c
-
SHA512
404f0e10a7de972904d63483e2be2b926349d1ad440f82f3560dd0cdb333c3b88e134da6d3dfb46f2a29cef3ba91932e9806e365a4a7e6ee860b2f0d955b9f50
-
SSDEEP
24576:cGvjcO5iNuoZBCESk1qsCSeE6CrJS/vE8OpGwfmm+NXo6MargCRNrCGZsr2:cSr5UlQE664vJwGamtNXMSPRN+0s
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5108 Introducing.pif -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3032 tasklist.exe 2860 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2500 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3032 tasklist.exe Token: SeDebugPrivilege 2860 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5108 Introducing.pif 5108 Introducing.pif 5108 Introducing.pif -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4892 wrote to memory of 2940 4892 file.exe 95 PID 4892 wrote to memory of 2940 4892 file.exe 95 PID 4892 wrote to memory of 2940 4892 file.exe 95 PID 2940 wrote to memory of 4976 2940 cmd.exe 97 PID 2940 wrote to memory of 4976 2940 cmd.exe 97 PID 2940 wrote to memory of 4976 2940 cmd.exe 97 PID 4976 wrote to memory of 3032 4976 cmd.exe 98 PID 4976 wrote to memory of 3032 4976 cmd.exe 98 PID 4976 wrote to memory of 3032 4976 cmd.exe 98 PID 4976 wrote to memory of 3176 4976 cmd.exe 99 PID 4976 wrote to memory of 3176 4976 cmd.exe 99 PID 4976 wrote to memory of 3176 4976 cmd.exe 99 PID 4976 wrote to memory of 2860 4976 cmd.exe 100 PID 4976 wrote to memory of 2860 4976 cmd.exe 100 PID 4976 wrote to memory of 2860 4976 cmd.exe 100 PID 4976 wrote to memory of 1096 4976 cmd.exe 101 PID 4976 wrote to memory of 1096 4976 cmd.exe 101 PID 4976 wrote to memory of 1096 4976 cmd.exe 101 PID 4976 wrote to memory of 2212 4976 cmd.exe 103 PID 4976 wrote to memory of 2212 4976 cmd.exe 103 PID 4976 wrote to memory of 2212 4976 cmd.exe 103 PID 4976 wrote to memory of 3396 4976 cmd.exe 104 PID 4976 wrote to memory of 3396 4976 cmd.exe 104 PID 4976 wrote to memory of 3396 4976 cmd.exe 104 PID 4976 wrote to memory of 1536 4976 cmd.exe 105 PID 4976 wrote to memory of 1536 4976 cmd.exe 105 PID 4976 wrote to memory of 1536 4976 cmd.exe 105 PID 4976 wrote to memory of 5108 4976 cmd.exe 106 PID 4976 wrote to memory of 5108 4976 cmd.exe 106 PID 4976 wrote to memory of 5108 4976 cmd.exe 106 PID 4976 wrote to memory of 2500 4976 cmd.exe 107 PID 4976 wrote to memory of 2500 4976 cmd.exe 107 PID 4976 wrote to memory of 2500 4976 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.execmd /k cmd < Arising & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:3176
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe"4⤵PID:1096
-
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir 101104⤵PID:2212
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Dump + Household + Universal + Button + Angola 10110\Introducing.pif4⤵PID:3396
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Teddy + Burner + Ourselves 10110\h4⤵PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\35281\10110\Introducing.pif10110\Introducing.pif 10110\h4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
PID:2500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
1.1MB
MD57a5255289377af188acf1b18bc9e166d
SHA1d049aa7019fe09f8109b0c494aee493f45646203
SHA256d1e590d04814e9bc460a9551c26518581d7b11bcd4e08e6c5e43e33523470777
SHA51255553601bcb34288c3cc65bb77448f016c574fe3ec5117eea549fdcaa58dd353ec9625ad6bc93b88bdb0d78a311fa07cbfffe9ae46f8603f227cf0fa5cab80ab
-
Filesize
35KB
MD5d69c28913c86dd8143d87bbe65dc38fa
SHA13260b37ed93c07048c090fa7774380a6264cea85
SHA256d806966a7b5ca0736dd6b96a32dabe8e734f10493b4dc39c12d929c39ffce536
SHA512284ef48bd1042bfb88e197cc817d71d4bafae21020246c630cdcb5559c4525ffd53825a08807eda0abf015b96b45ef80f062de16cb6b781d5379e92360dce8c4
-
Filesize
12KB
MD50bc635c0e376005fa65aac5377edd095
SHA1cff7003d7cbcc6c13ba35081e87161b1eeaa278f
SHA25621883735c904d004943b8328953d625d02b4e72f7800e0af4e9316560efd5c74
SHA512c976331c4cfa8ae3e6adaa6f2f44a1c785e3846ee883b4246a8d5a0397afe642caa37d1777006f487b1a1af43af26860c7035acb7ee7681089a51ad4a8a3bccc
-
Filesize
413KB
MD548021164e1fb92109e27ddedb0d66eb5
SHA146516f4866b0985ed96c5c2f8569961ad26bb47c
SHA256e5989d6b1236f9e7519ef074a4d08dfeb7b844b8d4cbbf7d70cd1983ba215543
SHA51273ac4679ea6bd2bfb963d41fa83ae330f96efd8caf877e4ba87b71821e909743b26fb2245c2d6ff98a50d7035f3e217cdb27fdb7009c91f28135a652fd7e9c80
-
Filesize
278KB
MD565d276c2d6623838ed01839510b87148
SHA104b6a5331305cd263212e9f48247503e722c3d77
SHA256a3d32b27d1dd12c24ec048e2fdffc9fce7873b72d0dbcf71ca55598b0fed2068
SHA5128ff4549deb542f3e727dfd0ab5838f91aae7f9335b91867b3cbb0167333b391b09954831ed79f19d19e4286cf7d7f6026aaa293005c3dfe40ffa8b0d76f4c515
-
Filesize
192KB
MD51f919f0a678b5e178ed48a5ca21c8672
SHA1c9d3b585ea5e9a20b64034baac5e3be0642ad4ff
SHA25611aa1e0a2efe07458575474317aabb0738f5eb84e51992759752c780c4d7c626
SHA512c3acffd7dc9a660d960a9ed07d7d45c5332cdef3ea822539e2c8171fbf84cc1684577be7770c0eefecf4cce24f5114758e013616226bcd94ec8ef4e470f707ae
-
Filesize
197KB
MD52874a7a205fa530fbac19127ba3eb684
SHA17e9b02d0e6593acb1b0e90e0f6c247d03b6f6dfb
SHA256ea41ff405e2f888aa28a5b8297b982e4ade52d1685d58a998ba3efae901400c8
SHA512b01b00957f67a04d131c94c101ee8a86494df6339f5cac2bcb3cea4ed9241418a4535fc44760db5714615a91e6f73431f19e91930b228dd4521cf5c4168e5b89
-
Filesize
233KB
MD5db4274d49e0baec3545780ad3b701ff1
SHA156a56f00831b919cadf14d25406afc87a3e34ef7
SHA256becb0d59f16ef9857d69739ed3b406c6e3ae3e84f7745611f4ecf4361660c158
SHA512ea045534ec8f96285653b8b5a516e13453ab7154b64bde750084eca51f41cf5380d3cd1a4601006dfc14c1b06605a4b5430e3312d93ea21aef0dbc7d110f7f81
-
Filesize
445KB
MD5025b53e4e01c86cb05f13b57433c8aea
SHA1f00e80763a3060c5b1183f8ab93ac15f587c7305
SHA256c8b5a6a9ada98f36fdc1f47b6cb5ce1f202ed7463a5cc37ee815995ec8ee4e4e
SHA5120b7994327c83ac16ae96b3a8df84a4c43c8042a38b7e75969f02b9f957347722d39eb7732377dbc2bcd686282f7164070226f9ac83ed5c63abf2137ca86eb13d
-
Filesize
222KB
MD59d2baa4107fea644c1d3b787dd2549ff
SHA15fda9b603eaca177ece358fddac7c93f1135581d
SHA256afc01637b82e08b0d1eedfd5337b4f4056e13943195d7693787e98802a258d1e
SHA5124894bfc0463c172707f3832879003cc3f58c057def60e585c28f41f09df422dacd7bfe7f8c3a2d33e10a86c6670fea82fe207f7df805aa512274334a0ceaef1f