Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 23:23
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231130-en
General
-
Target
file.exe
-
Size
1.6MB
-
MD5
8cc2ad5aaa5f50b4a34dc5875b9c55ea
-
SHA1
9074a4475f7a9e4954b169071bef9e62b8b9a2d6
-
SHA256
4fbc2050706302678bbf31e2654da5905f41e8cbd98e4ad25fef3b4dd76346a9
-
SHA512
04e6ff2de85b84b659a9fd61675cec7bd98cbd91cc398e203246811e3f612e11d64a0f95b2bed691e84d01e075f6e9d3c68af13ed737f84b2781f307a6b855c0
-
SSDEEP
49152:qWg8wUmZOzqiavjDUJO/WH89ctcO0ljbbQnIQGotBKq98TJCHEGU42sn6:ZiUmZOzqiavjDUM/WH89y8bboGO
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
file.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk file.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" file.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ipinfo.io 21 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
file.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy file.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini file.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol file.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3524 5068 WerFault.exe file.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4444 schtasks.exe 4016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 5068 file.exe 5068 file.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
file.exedescription pid process target process PID 5068 wrote to memory of 4444 5068 file.exe schtasks.exe PID 5068 wrote to memory of 4444 5068 file.exe schtasks.exe PID 5068 wrote to memory of 4444 5068 file.exe schtasks.exe PID 5068 wrote to memory of 4016 5068 file.exe schtasks.exe PID 5068 wrote to memory of 4016 5068 file.exe schtasks.exe PID 5068 wrote to memory of 4016 5068 file.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
outlook_win_path 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5068 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4444 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 16882⤵
- Program crash
PID:3524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5068 -ip 50681⤵PID:3808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD58cc2ad5aaa5f50b4a34dc5875b9c55ea
SHA19074a4475f7a9e4954b169071bef9e62b8b9a2d6
SHA2564fbc2050706302678bbf31e2654da5905f41e8cbd98e4ad25fef3b4dd76346a9
SHA51204e6ff2de85b84b659a9fd61675cec7bd98cbd91cc398e203246811e3f612e11d64a0f95b2bed691e84d01e075f6e9d3c68af13ed737f84b2781f307a6b855c0
-
Filesize
3KB
MD5c86d8aeff66fa03045755babcab06775
SHA1cee2c4e1154a7dc73999d882023d69bfb7a1766a
SHA2565a7043cfb69c03a1f80fd5817f6f091055a1f39a890aadaf42515ab5a0863e4c
SHA5122e129ba533c1afa73ddae9e3fc19473aae89c48aed1cf0a2b1399724ea2c6c171b5e6bae3d02d8dd9daa2587c7d063f6be4b2112397ffbf118b670f5ddc9676f