Analysis
-
max time kernel
31s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 16:56
Static task
static1
Behavioral task
behavioral1
Sample
b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
Resource
win10v2004-20231130-en
General
-
Target
b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe
-
Size
413KB
-
MD5
1777bf83c011f0788ada715b52109451
-
SHA1
94a8481b3a7230d8afa0f33f1a23dc538c4857d7
-
SHA256
b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f
-
SHA512
c23d4b04fa22f1b22d9b066fd5a3947090bd7f07ffaa0b18f6ec76f4aab6189f4010b8c07deeec0b6cb714076b2c5979d8a9210457c07169365dd640170463bb
-
SSDEEP
3072:3YRz3q+7/MIx2jgG0k68TlzWh14aPrEBCS4YLOZ2IJWvSnE9lmyg9:34Dq+jMIx8Ikxl6UaPg7ty2/SEet
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1167482850669506590/XPbC-QMgZk-g5lpCED6exclk3YJMn-e8Xl96345o1pqvB_PUpcdO3qdCTNwrb0TbEW7h
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeRat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Rat.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0acde5366a0ad4cf36a62b2a5c332c14.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0acde5366a0ad4cf36a62b2a5c332c14.exe svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
aminer-watchdog.exeRat.exeстиллер с отправкорй дс.exesvchost.exepid process 2132 aminer-watchdog.exe 4520 Rat.exe 2100 стиллер с отправкорй дс.exe 4064 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0acde5366a0ad4cf36a62b2a5c332c14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0acde5366a0ad4cf36a62b2a5c332c14 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 9 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
стиллер с отправкорй дс.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier стиллер с отправкорй дс.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 стиллер с отправкорй дс.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
стиллер с отправкорй дс.exesvchost.exepid process 2100 стиллер с отправкорй дс.exe 2100 стиллер с отправкорй дс.exe 2100 стиллер с отправкорй дс.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 2100 стиллер с отправкорй дс.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe 4064 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeстиллер с отправкорй дс.exesvchost.exedescription pid process Token: SeDebugPrivilege 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe Token: SeDebugPrivilege 2100 стиллер с отправкорй дс.exe Token: SeDebugPrivilege 4064 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exeRat.exesvchost.exedescription pid process target process PID 4128 wrote to memory of 2132 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe aminer-watchdog.exe PID 4128 wrote to memory of 2132 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe aminer-watchdog.exe PID 4128 wrote to memory of 4520 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe Rat.exe PID 4128 wrote to memory of 4520 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe Rat.exe PID 4128 wrote to memory of 4520 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe Rat.exe PID 4128 wrote to memory of 2100 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe стиллер с отправкорй дс.exe PID 4128 wrote to memory of 2100 4128 b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe стиллер с отправкорй дс.exe PID 4520 wrote to memory of 4064 4520 Rat.exe svchost.exe PID 4520 wrote to memory of 4064 4520 Rat.exe svchost.exe PID 4520 wrote to memory of 4064 4520 Rat.exe svchost.exe PID 4064 wrote to memory of 2404 4064 svchost.exe netsh.exe PID 4064 wrote to memory of 2404 4064 svchost.exe netsh.exe PID 4064 wrote to memory of 2404 4064 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe"C:\Users\Admin\AppData\Local\Temp\b1263c9f84848b96f7754daf18905a89837a64f81d219efacd54573201fcb87f.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe"C:\Users\Admin\AppData\Local\Temp\aminer-watchdog.exe"2⤵
- Executes dropped EXE
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\Rat.exe"C:\Users\Admin\AppData\Local\Temp\Rat.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe"C:\Users\Admin\AppData\Local\Temp\стиллер с отправкорй дс.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5476ad9febee172182539df41c2e368b4
SHA1ebaebf009f62aa26b2831a1dac3cfd01a0389f31
SHA256c288ffad4636717bb4db847a14f7dfd8b12800b4f8f9d64d77aaff3830a26ae6
SHA512ca5ae2e119938333fa4a6af94e4ab546b04cd0c224c9147e632f5d5b72550be4204b569fd973c9471ccc15f54f26af00be8313af189809631d4a40e894f97f1f
-
Filesize
1KB
MD595865253147dea970be25cff825c3c11
SHA1cb0ddf0e048af3d26be549a93328c58061e51bf5
SHA256d8cf4cb819dee009aac01d3f3bf8129a67fea34e61a56238f10e0efd22204679
SHA51208f4e87e58a59514b47314d37cabaab18e680c609a062bcb051e3137d6bbb91b1ecdf4cd44d9c20b8c3a406349472b1d5377fa20ce734adaaa17ee30b53d4e87
-
Filesize
1KB
MD50c368d3ce303ab3a4b32cceb8d3a572d
SHA13cff17850f3b01fde77f6230d51d521a64e94246
SHA25610a1bd3ed9fdba602347236aefea96f32e625e1655c995d3f2bb918e9fea156a
SHA512efc396e32099dd0802167e1a86316c27bd895c8bbb4cc85858e7e0ff47f724c809d9cdf715ad35ef79c413cac4ecf612d367cf3ed2086f02dcce938a21502096
-
Filesize
36KB
MD51f92924f88549ef4ec633facbe8a5964
SHA1a90d0143193d7c56107a65bb256b2bebb6f43d94
SHA2563c2eb6c579ea713245afb823f1980f6dad2353a1c944aafbf4a349b1d19f06de
SHA51267b3b0518d0801c654d1635edb65337d2359e885b51fe3e2d0ac771950b5244b370424566ef5c5d4bfb1372dcdf0fd5f0c0f3e49f73766cfb50a62a3cb71b793
-
Filesize
10KB
MD56302b39d3fd9323a4fef54b8101f8e4f
SHA167067e2aa09b0c6736fa50bd5080d9dda2b6f6a8
SHA256992823f27fb9432fe83f2f6283bd0327b31f8197eae0aa8af98e7ba71854ae33
SHA5126b82570e46a0721133339547e9a8f7f7acfb937e98852c5f831a0f68898bd50adbd6cbf66acaf096258de430d3aeb9323bdea56539ba023976e557c72d735c44
-
Filesize
1.2MB
MD5c78ac757e15d0883fcd3ea32e265a5f4
SHA153d35eae3d3580e14be1ad2743144e4541bd0cb8
SHA256ce2ee732be397e177748b4f94f7cdb57d2a4ca9c1b2753b518a18b6836c2bf72
SHA512163fb6e7b06532b72fa5fd7d489536c20fac9d45a5ed6e7ffc5b05eac206fbe97141dc01a9c2946d501b473586295024252b9a716dd46cef49c092f9eb254c38
-
Filesize
1.3MB
MD5adebd161af9130b5d65c0ce26eb2c68e
SHA13f67c180ef0b98349d46319504cdd2fe9113d79c
SHA2565c52a8c48ee9dacf2f41d27cf8dd823c01bae21ff141e2bf61214b2c5d75629d
SHA512e58fce1718eab03457b9f01ec59f7cce9198d4029b29e979e249ff0933b86d65cfcb655db24ee728a0272b675ae4187ed3bf45351ee02753531c23986faffcf4
-
Filesize
738KB
MD58be13a2f57a7ce756e99f983861f4191
SHA15f8a748239c146aa5febe7b8f3e1cc7dea38cc4e
SHA2567665714fc8888796468f0266b6ca79b83ab9be5d43e91f2fe7c6347d19d6d6de
SHA512738d7c0fa0a45dac8026688b35a33204cd4c4cd8671d9dcca7567b54a017c94dc224678cf4b22ab342c29e49078ed2a76be983733d41be0407c65f3d841378d7