Overview
overview
10Static
static
10076be2c09b...29.exe
windows11-21h2-x64
100fd2b5dba8...d1.exe
windows11-21h2-x64
10131d6fb920...b1.exe
windows11-21h2-x64
101c133b9bb4...fd.exe
windows11-21h2-x64
1030af8d3ec6...30.exe
windows11-21h2-x64
1041c9d28653...f5.exe
windows11-21h2-x64
105a0daa24b5...1f.exe
windows11-21h2-x64
630efa1e2d...ad.exe
windows11-21h2-x64
10651bc82076...73.exe
windows11-21h2-x64
677bea9e71...58.exe
windows11-21h2-x64
107afefba65e...bb.exe
windows11-21h2-x64
3817c226e42...db.dll
windows11-21h2-x64
8a925fc1289...42.exe
windows11-21h2-x64
7b1c5fd5c0f...ae.exe
windows11-21h2-x64
10f2923f695d...7d.msi
windows11-21h2-x64
10f58d2071a2...e1.exe
windows11-21h2-x64
7Analysis
-
max time kernel
445s -
max time network
451s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-12-2023 01:43
Behavioral task
behavioral1
Sample
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29.exe
Resource
win11-20231215-en
Behavioral task
behavioral2
Sample
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
Resource
win11-20231215-en
Behavioral task
behavioral3
Sample
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Resource
win11-20231215-en
Behavioral task
behavioral4
Sample
1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd.exe
Resource
win11-20231215-en
Behavioral task
behavioral5
Sample
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030.exe
Resource
win11-20231215-en
Behavioral task
behavioral6
Sample
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
Resource
win11-20231215-en
Behavioral task
behavioral7
Sample
5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f.exe
Resource
win11-20231215-en
Behavioral task
behavioral8
Sample
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Resource
win11-20231215-en
Behavioral task
behavioral9
Sample
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673.exe
Resource
win11-20231215-en
Behavioral task
behavioral10
Sample
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58.exe
Resource
win11-20231215-en
Behavioral task
behavioral11
Sample
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb.exe
Resource
win11-20231215-en
Behavioral task
behavioral12
Sample
817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db.dll
Resource
win11-20231215-en
Behavioral task
behavioral13
Sample
a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142.exe
Resource
win11-20231215-en
Behavioral task
behavioral14
Sample
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
Resource
win11-20231215-en
Behavioral task
behavioral15
Sample
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.msi
Resource
win11-20231215-en
Behavioral task
behavioral16
Sample
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
Resource
win11-20231215-en
General
-
Target
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
-
Size
278KB
-
MD5
66a3124fe4ed45fae20e2bd4ee33c626
-
SHA1
fc5ef4caf4d8a51a340f6fd98ac525debcff8f30
-
SHA256
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad
-
SHA512
569bc064f465c32fd11fdd67896106778f13094e20adc739d8824f9e02508701b712bd3cfdab48782421b35acebe16bb5b0e97543db869ecaec5c1b87902b872
-
SSDEEP
6144:sU0sd0bzy1GOgofaePZ3e5fv+vc6X+olz:XzHGOgovPwcXbl
Malware Config
Signatures
-
PredatorStealer
Predator is a modular stealer written in C#.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hetsm.exe.lnk 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe -
Executes dropped EXE 2 IoCs
pid Process 3012 FB_B892.tmp.exe 1808 FB_BA29.tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_BA29.tmp.exe Key opened \REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_BA29.tmp.exe Key opened \REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_BA29.tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start" FB_BA29.tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2064 set thread context of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe Token: SeDebugPrivilege 1808 FB_BA29.tmp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2064 wrote to memory of 4552 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 79 PID 2064 wrote to memory of 4552 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 79 PID 2064 wrote to memory of 4552 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 79 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2064 wrote to memory of 2620 2064 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 80 PID 2620 wrote to memory of 3012 2620 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 81 PID 2620 wrote to memory of 3012 2620 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 81 PID 2620 wrote to memory of 3012 2620 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 81 PID 2620 wrote to memory of 1808 2620 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 82 PID 2620 wrote to memory of 1808 2620 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 82 PID 2620 wrote to memory of 1808 2620 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_BA29.tmp.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_BA29.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"2⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"C:\Users\Admin\AppData\Local\Temp\630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_B892.tmp.exe"3⤵
- Executes dropped EXE
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_BA29.tmp.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD574bafb3e707c7b0c63938ac200f99c7f
SHA110c5506337845ed9bf25c73d2506f9c15ab8e608
SHA256129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689
SHA5125b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781
-
Filesize
83KB
MD5d543973bd33d45d515e8dfc251411c4b
SHA1ecee812501a082552f57aec170cb952578061843
SHA256a02cf7e4d01c3e04c0c6f723a541289a12c5d87ecc47f6b675d84a6b1b0a23b3
SHA512d2c60ec3e93ba01e3122c563a3e19d1a5b7c963545dbf291a53236ea1e7434bcdec6005f1cd08348a2b18a139e5b56dd47ab4c452f71bbb2c5319c77e765be9b