Overview

overview

10

Static

static

10

076be2c09b...29.exe

windows11-21h2-x64

10

0fd2b5dba8...d1.exe

windows11-21h2-x64

10

131d6fb920...b1.exe

windows11-21h2-x64

10

1c133b9bb4...fd.exe

windows11-21h2-x64

10

30af8d3ec6...30.exe

windows11-21h2-x64

10

41c9d28653...f5.exe

windows11-21h2-x64

10

5a0daa24b5...1f.exe

windows11-21h2-x64

630efa1e2d...ad.exe

windows11-21h2-x64

10

651bc82076...73.exe

windows11-21h2-x64

677bea9e71...58.exe

windows11-21h2-x64

10

7afefba65e...bb.exe

windows11-21h2-x64

3

817c226e42...db.dll

windows11-21h2-x64

8

a925fc1289...42.exe

windows11-21h2-x64

7

b1c5fd5c0f...ae.exe

windows11-21h2-x64

10

f2923f695d...7d.msi

windows11-21h2-x64

10

f58d2071a2...e1.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    445s
  • max time network
    451s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-12-2023 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe

  • Size

    278KB

  • MD5

    66a3124fe4ed45fae20e2bd4ee33c626

  • SHA1

    fc5ef4caf4d8a51a340f6fd98ac525debcff8f30

  • SHA256

    630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad

  • SHA512

    569bc064f465c32fd11fdd67896106778f13094e20adc739d8824f9e02508701b712bd3cfdab48782421b35acebe16bb5b0e97543db869ecaec5c1b87902b872

  • SSDEEP

    6144:sU0sd0bzy1GOgofaePZ3e5fv+vc6X+olz:XzHGOgovPwcXbl

Score
10/10
predatorstealercollectionpersistencespywarestealer

Malware Config

Signatures

  • PredatorStealer

    Predator is a modular stealer written in C#.

    stealerpredatorstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
    "C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
      "C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
      2⤵
        PID:4552
      • C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
        "C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe"
          3⤵
          • Executes dropped EXE
          PID:3012
        • C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe
      Filesize

      3KB

      MD5

      74bafb3e707c7b0c63938ac200f99c7f

      SHA1

      10c5506337845ed9bf25c73d2506f9c15ab8e608

      SHA256

      129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

      SHA512

      5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe
      Filesize

      83KB

      MD5

      d543973bd33d45d515e8dfc251411c4b

      SHA1

      ecee812501a082552f57aec170cb952578061843

      SHA256

      a02cf7e4d01c3e04c0c6f723a541289a12c5d87ecc47f6b675d84a6b1b0a23b3

      SHA512

      d2c60ec3e93ba01e3122c563a3e19d1a5b7c963545dbf291a53236ea1e7434bcdec6005f1cd08348a2b18a139e5b56dd47ab4c452f71bbb2c5319c77e765be9b

      Download Submit

    • memory/1808-51-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1808-49-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1808-48-0x0000000074980000-0x0000000075131000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1808-44-0x0000000007EA0000-0x0000000007EB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1808-42-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1808-41-0x0000000004CC0000-0x0000000004D16000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1808-40-0x0000000004B00000-0x0000000004B0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1808-39-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1808-37-0x0000000000180000-0x000000000019C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1808-38-0x0000000074980000-0x0000000075131000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2064-6-0x00000000058C0000-0x000000000595C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2064-5-0x00000000056E0000-0x000000000571E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2064-18-0x00000000747F0000-0x0000000074FA1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2064-1-0x0000000000BE0000-0x0000000000C2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2064-2-0x0000000005D30000-0x00000000062D6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2064-11-0x0000000005CA0000-0x0000000005CB4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2064-9-0x00000000063E0000-0x0000000006446000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2064-8-0x00000000059E0000-0x00000000059E6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2064-7-0x0000000005990000-0x00000000059A8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2064-0-0x00000000747F0000-0x0000000074FA1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2064-3-0x0000000005780000-0x0000000005812000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2064-4-0x0000000005A00000-0x0000000005A10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2620-17-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2620-12-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2620-15-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download