Analysis
-
max time kernel
82s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 02:38
Behavioral task
behavioral1
Sample
7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe
Resource
win10v2004-20231127-en
General
-
Target
7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe
-
Size
158.0MB
-
MD5
328b0e9fd74c9d359c694658eaf025ba
-
SHA1
2b1cc7fb3895dc9d7b49ee91b93e4ffc9c625200
-
SHA256
7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0
-
SHA512
1506c1a099519b99cc68451a5d1b360b252bfa1f152373521a2d600361e233d6cafaf014214b260d81ad761f0c76747c117f724546f4c15ae2630823f7189a8e
-
SSDEEP
1572864:IWaJrKk/uriBP1rNxoV0pPQnvKeh0ew1988ae7XRuiRU23:na92mNHpuiyiRD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe -
Executes dropped EXE 1 IoCs
Processes:
Chrome Service.exepid process 3276 Chrome Service.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 ipinfo.io 41 ipinfo.io -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1320 powershell.exe 1320 powershell.exe 1320 powershell.exe 1320 powershell.exe 4832 powershell.exe 4832 powershell.exe 4832 powershell.exe 4832 powershell.exe 3816 powershell.exe 3816 powershell.exe 3816 powershell.exe 3816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 4832 powershell.exe Token: SeDebugPrivilege 3816 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exedescription pid process target process PID 3508 wrote to memory of 1320 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 1320 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 1320 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 4832 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 4832 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 4832 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 3816 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 3816 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 3816 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe powershell.exe PID 3508 wrote to memory of 3276 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe Chrome Service.exe PID 3508 wrote to memory of 3276 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe Chrome Service.exe PID 3508 wrote to memory of 3276 3508 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe Chrome Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe"C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "msedge"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Stop-Process -Name "firefox"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816 -
C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"2⤵
- Executes dropped EXE
PID:3276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
17KB
MD56e38b67e2fbf2ab4ea2cfbd867425eb7
SHA1d1a5d18c4f4385c7ae049b7ef2f27bfea1f6356d
SHA2566f1a74f65c5b427c801966e43a2d00741da4e2cbf7ec560e52e7d77dc9ca7c99
SHA512b3d48f60a12690da893ab125ac943e4bd1fbdfa1c230b776b87a864233a00fe361f601319f3ef938d2d2e8a3897a89c369c878575e5385aeb9060fb523e28b8e
-
Filesize
17KB
MD5216be0925e07e7149b050d4c29653c05
SHA160853e7f622fa3dba88134cd0097bb6531025663
SHA2565b02d0f94d82279860046da009eee63220432a846a0d4d6ae39e4abdec61f9e2
SHA5121aa6418d130ce19fbd074a16742a8dd9cf48d76650f1adf3c6f14daed599e4068efe9c6b1144f493ef7da709bc4d75eca884f40cceecb1093bb7f450fe20a4be
-
Filesize
58.2MB
MD5c0412e74f4fc21d63271ca8bd5f6a774
SHA1728cce759c0aaf0ebca673ad43352eecbbc1fe78
SHA256b4ed512664a81b396582759c9cc2e0bdceaa73584c1aa86bbbd12e1f4b6cec11
SHA5128a85f40e3124b5404ca5537702b5a5e2caad9e2cd50522a998136298f6342d2fe7fd2b1b96a5199bb21e9cafa53a441e4b9eb10703cf7834b2faf1ba15349f1d
-
Filesize
58.2MB
MD5c0412e74f4fc21d63271ca8bd5f6a774
SHA1728cce759c0aaf0ebca673ad43352eecbbc1fe78
SHA256b4ed512664a81b396582759c9cc2e0bdceaa73584c1aa86bbbd12e1f4b6cec11
SHA5128a85f40e3124b5404ca5537702b5a5e2caad9e2cd50522a998136298f6342d2fe7fd2b1b96a5199bb21e9cafa53a441e4b9eb10703cf7834b2faf1ba15349f1d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82