Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
015e06819449a0aba6b2aa3a5c05e4fc.exe
Resource
win7-20231215-en
General
-
Target
015e06819449a0aba6b2aa3a5c05e4fc.exe
-
Size
277KB
-
MD5
015e06819449a0aba6b2aa3a5c05e4fc
-
SHA1
1a9cfd1445d5e220b15afc1b3cc87c692306bd4d
-
SHA256
1b3176504812227a816d0905092ecc6d9703b9bd677d159669bcd090df2cac83
-
SHA512
0e4fda2845e0f120a4ca78545fb33807f4b44b5b9e3916a62c3554275050114de41e2d9871d54a7b9adaddc273ab212c24d7da6b8cb291b80cea47a82ffe0daf
-
SSDEEP
6144:4t0XPlWWZwrjVNVa4pKpo5YuKMQEWBe1t186ctjqr:4WXJZwfVNwTuYuTkEW4
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 015e06819449a0aba6b2aa3a5c05e4fc.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2352 9000.tmp -
Loads dropped DLL 2 IoCs
pid Process 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2240-1-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2240-11-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1968-13-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2240-80-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/804-82-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2240-173-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2240-191-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\56A.exe = "C:\\Program Files (x86)\\LP\\A459\\56A.exe" 015e06819449a0aba6b2aa3a5c05e4fc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\A459\56A.exe 015e06819449a0aba6b2aa3a5c05e4fc.exe File opened for modification C:\Program Files (x86)\LP\A459\9000.tmp 015e06819449a0aba6b2aa3a5c05e4fc.exe File opened for modification C:\Program Files (x86)\LP\A459\56A.exe 015e06819449a0aba6b2aa3a5c05e4fc.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2444 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2764 msiexec.exe Token: SeTakeOwnershipPrivilege 2764 msiexec.exe Token: SeSecurityPrivilege 2764 msiexec.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1968 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 31 PID 2240 wrote to memory of 1968 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 31 PID 2240 wrote to memory of 1968 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 31 PID 2240 wrote to memory of 1968 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 31 PID 2240 wrote to memory of 804 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2240 wrote to memory of 804 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2240 wrote to memory of 804 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2240 wrote to memory of 804 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 32 PID 2240 wrote to memory of 2352 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 35 PID 2240 wrote to memory of 2352 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 35 PID 2240 wrote to memory of 2352 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 35 PID 2240 wrote to memory of 2352 2240 015e06819449a0aba6b2aa3a5c05e4fc.exe 35 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 015e06819449a0aba6b2aa3a5c05e4fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 015e06819449a0aba6b2aa3a5c05e4fc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe"C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exeC:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Users\Admin\AppData\Roaming\9F15B\B52A4.exe%C:\Users\Admin\AppData\Roaming\9F15B2⤵PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exeC:\Users\Admin\AppData\Local\Temp\015e06819449a0aba6b2aa3a5c05e4fc.exe startC:\Program Files (x86)\5B598\lvvm.exe%C:\Program Files (x86)\5B5982⤵PID:804
-
-
C:\Program Files (x86)\LP\A459\9000.tmp"C:\Program Files (x86)\LP\A459\9000.tmp"2⤵
- Executes dropped EXE
PID:2352
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD58eb96edb32a5c6fe1d793e4b84b639f0
SHA17cf8bdef0a624317cdb8d33e6eb2faf41d965198
SHA256ebbbe5a151f71fcab37db115961c070ef973a41edfcfdaf55462c27a3d6a47f7
SHA51294008397c16b2f0cc314bff20e765f7fff3b135c32d70eafb401134532178fcc1d6fe9441f57da60b922e3bcf188b7a41e524314724058814becd5bbf9563d82
-
Filesize
996B
MD5728ed8474ba31aef985311711a04397a
SHA12f8ca1d6f090027744d7c082c98c714052658271
SHA256c643b1143f6662ae9f543e93b3806d04acc29283e62a375e7288a878e30a3a96
SHA512a18aaf1feb5b65fcaf866ea8b83975043199901c1ac6ad9a81f2b0320642582ed058fd4254284f65ee847143f7493b6c79a42005f6417540efe202054f4002d4
-
Filesize
98KB
MD5452ca0be44887092384b55fbb84d79c7
SHA1c51135c52fdff98dacc66b1bbb5dd215b90d3a8b
SHA256fe1aa7fbb7f031ee7e5213dd6656d1502f127f6ddbd5b9aab8f6d880031ea688
SHA5129fb18a250f93fba63cf40e8efe58ef687ad197f764f1f16b23a9cbf6efc64fe60a75b523ff1c8876fa70f597f8149139410396c03db58294fce5019ea627ff07