Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
-
submitted
07-12-2023 23:23
General
-
Target
file.exe
-
Size
1.6MB
-
MD5
8cc2ad5aaa5f50b4a34dc5875b9c55ea
-
SHA1
9074a4475f7a9e4954b169071bef9e62b8b9a2d6
-
SHA256
4fbc2050706302678bbf31e2654da5905f41e8cbd98e4ad25fef3b4dd76346a9
-
SHA512
04e6ff2de85b84b659a9fd61675cec7bd98cbd91cc398e203246811e3f612e11d64a0f95b2bed691e84d01e075f6e9d3c68af13ed737f84b2781f307a6b855c0
-
SSDEEP
49152:qWg8wUmZOzqiavjDUJO/WH89ctcO0ljbbQnIQGotBKq98TJCHEGU42sn6:ZiUmZOzqiavjDUM/WH89y8bboGO
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 16882⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5068 -ip 50681⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD58cc2ad5aaa5f50b4a34dc5875b9c55ea
SHA19074a4475f7a9e4954b169071bef9e62b8b9a2d6
SHA2564fbc2050706302678bbf31e2654da5905f41e8cbd98e4ad25fef3b4dd76346a9
SHA51204e6ff2de85b84b659a9fd61675cec7bd98cbd91cc398e203246811e3f612e11d64a0f95b2bed691e84d01e075f6e9d3c68af13ed737f84b2781f307a6b855c0
-
Filesize
3KB
MD5c86d8aeff66fa03045755babcab06775
SHA1cee2c4e1154a7dc73999d882023d69bfb7a1766a
SHA2565a7043cfb69c03a1f80fd5817f6f091055a1f39a890aadaf42515ab5a0863e4c
SHA5122e129ba533c1afa73ddae9e3fc19473aae89c48aed1cf0a2b1399724ea2c6c171b5e6bae3d02d8dd9daa2587c7d063f6be4b2112397ffbf118b670f5ddc9676f