Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 01:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe
-
Size
74KB
-
MD5
4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a
-
SHA1
d074a402e336b154d7b833ca9c707549c80f79f4
-
SHA256
c368fb3b0641c54b038347ee2168a6c344eff4256eb74fc69122d526e2f90c3c
-
SHA512
46bc53e3f9d0323526c64f4d38a30f6b1aad0ff3b108ef39b0e6d7c4c1030cf9c3cd093855ff073bd6cab0504b69137da45450a24f1cce4dd12fd3cc3b983673
-
SSDEEP
1536:laHLtZf6yS/JuSkZWeGkqbT3ckFqtLUGQ8ZqLjp3r2WnjMiXJn4Bei9M:laHz6T/JBOQksAkItZQwU3iWdysaM
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4656 set thread context of 2768 4656 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 22 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\SearchScopes 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "329728" 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}" 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}" 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google" 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "file://localhost/C:/www.google.com.htm" 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4656 wrote to memory of 2768 4656 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 22 PID 4656 wrote to memory of 2768 4656 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 22 PID 4656 wrote to memory of 2768 4656 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 22 PID 4656 wrote to memory of 2768 4656 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 22 PID 4656 wrote to memory of 2768 4656 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 22 PID 4656 wrote to memory of 2768 4656 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 22 PID 2768 wrote to memory of 3392 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 48 PID 2768 wrote to memory of 3392 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 48 PID 2768 wrote to memory of 3392 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 48 PID 2768 wrote to memory of 3392 2768 4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe"C:\Users\Admin\AppData\Local\Temp\4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exeC:\Users\Admin\AppData\Local\Temp\4f3b9ee4f1c2fa0675bf3ed8e0b5eb9a.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392