Analysis
-
max time kernel
125s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 17:55
Behavioral task
behavioral1
Sample
640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe
Resource
win7-20231201-en
General
-
Target
640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe
-
Size
274KB
-
MD5
d6ae2f2cb1539dea4bb4d9ea9d5d5cce
-
SHA1
bc2ac2bc2d1ee035b65dbd43a4c0d134c51a3eeb
-
SHA256
640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83
-
SHA512
59c2d4eafcf67f91ee31104cb04be363ffbfadbe5a9667c0849584e666dffd4529f5c7dfd16905d63f9e2fa310c820aec20de7455ec753a48ab538885ac10ebd
-
SSDEEP
6144:vf+BLtABPDMtBBfn1Y0gIoHOQpafTyElI1D0pEA:otVvgIoHOOp1DxA
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/1179802952609837118/VQL2SnbY3OQKym01HTNlPaUzF5_zZWpyG0uR_TQhE0OllmdOQS7zEdjJ2Yw63bcoH9rt
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exepid process 4224 640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe 4224 640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe 4224 640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe 4224 640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exedescription pid process Token: SeDebugPrivilege 4224 640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe"C:\Users\Admin\AppData\Local\Temp\640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc11286c33d78d1efc7b2e3e5f529bb7
SHA114a3bf0d17256c6f655f8f19d8a0334111c2391a
SHA256ab6552a3aaea0a177cd64efd89d45d92df158cb24453b256a1b85ceefd2a7586
SHA512f2784b87f80b95bcdb27f2de3bbc1736e1fc04368803969ef554e4c033cbf1adef51bf46509746b005f3e6a8c4ab20a3e5189e1332b4de46982ead5802a50c0b
-
Filesize
736B
MD53afdcec077d51e237be37c52e48afaf4
SHA19e4134a12059f35e8df7a08f33a03410cb273184
SHA256a692dd45676171037636fa7c74b9688f498268f763207604b9bc15bb71b41f8a
SHA5122598995fc9b8313c94dd513e4a25b4102bc107c8e566b2a50e239d2e88099de2833ac6c22635257c499bd02ff8d5bb48ae09b523dcfcb5eedaf9630b1956a548