Analysis
-
max time kernel
120s -
max time network
106s -
platform
windows10-1703_x64 -
resource
win10-20231129-en -
resource tags
arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system -
submitted
13/12/2023, 23:39
Behavioral task
behavioral1
Sample
e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe
Resource
win10-20231129-en
General
-
Target
e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe
-
Size
1.6MB
-
MD5
0f80fb0884759cc8bf8e74b9bc7c9d75
-
SHA1
1544e4d4912523fc7a19f16f5ecaab701007d742
-
SHA256
e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e
-
SHA512
4675dd854898d876136701b8364200e58a70ff61c32461a653ae9a46205162433d6745ae86ddfdf4d3a6932c04de479ccf7fbd3216bad3de82b8ae85397f0176
-
SSDEEP
49152:80ceOGgUYYEmluRKYoFh4kGWusbQnIyDi1E1uonTKi/OjCCNG:1XOGgUYC4RKXFhrusbaDkE1u
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 4 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3368 4960 WerFault.exe 73 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2272 schtasks.exe 1600 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4960 wrote to memory of 2272 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe 74 PID 4960 wrote to memory of 2272 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe 74 PID 4960 wrote to memory of 2272 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe 74 PID 4960 wrote to memory of 1600 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe 78 PID 4960 wrote to memory of 1600 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe 78 PID 4960 wrote to memory of 1600 4960 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe 78 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe"C:\Users\Admin\AppData\Local\Temp\e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e.exe"1⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4960 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:2272
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 17962⤵
- Program crash
PID:3368
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4184
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD50f80fb0884759cc8bf8e74b9bc7c9d75
SHA11544e4d4912523fc7a19f16f5ecaab701007d742
SHA256e3f5fe0194472c9a2f38eb69d0a532701586fad07de6d94f39dfa060e219ee6e
SHA5124675dd854898d876136701b8364200e58a70ff61c32461a653ae9a46205162433d6745ae86ddfdf4d3a6932c04de479ccf7fbd3216bad3de82b8ae85397f0176
-
Filesize
3KB
MD5b3ec0b0f067d88b2193d1f4f5ae1457c
SHA14464a4346abcdb5cbafa7ad5aa70b6011151f5d7
SHA256530b1e5aa588f29288cd750775356bd568c9eb98ea04bee0d27ba64225fdb540
SHA512c429bbd0c4ae8cb354cb917382e336500568ea8997414bf55d4e9230d2278a27eb0178f6afa6e154d4a68cd7dc3cf7aa8dd7caee810548c60e0cf4dd1eab99a9
-
Filesize
92KB
MD54491efe9c997c2bb294866dab785b4a3
SHA1655c178e979acf42eed324d2883b04ef9ba441c3
SHA256197fb907775f182f8a8f6e00e5b514477a096988d10475a63385647c32b361e7
SHA51257c135d0932dd1e11367d34af7808fd524c87507c263e3190105cbc69a4ac1ab730ed31631c860fbde125b99bd5995af797707fbc7063ceb5b1a1a708916d142