Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 12:41
Static task
static1
Behavioral task
behavioral1
Sample
6a73b2e83b8267fc1b40cd1c42f59116.exe
Resource
win7-20231215-en
General
-
Target
6a73b2e83b8267fc1b40cd1c42f59116.exe
-
Size
121KB
-
MD5
6a73b2e83b8267fc1b40cd1c42f59116
-
SHA1
bf63ed29fdeae42260eccbef0c511ee77f8f0339
-
SHA256
0ffc4a30a0719e18e81d17c1aa2a0880ccde91f27a69ddc5682405037f41467b
-
SHA512
8f3614e4d9a9baf4185cb2d2bdc19a937cdec9260a5dc9dbcdc5db2797d376dc093f2c2ebd55a427475644c2780655d1895a0f610133ce57d969ea46df9ec37a
-
SSDEEP
1536:eNwXyLxpNnonJsrZ8/l+LguMSxPBuVWDaAruae9/gTlSmE8eLU534GwvfAeB+R0U:2hxp8JgZ29ubBOWwx9YD8jhvoo+RANG
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/857773959478116362/1HjPquy4G_ltau-JO_b28kVAgNjquEwJ8dvlwS9dY_P5TQ_PcQA7UEAQc80CznKxgRVd
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
HELL Client (Beta).exepid process 2368 HELL Client (Beta).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 freegeoip.app 5 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
HELL Client (Beta).exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 HELL Client (Beta).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier HELL Client (Beta).exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
HELL Client (Beta).exepid process 2368 HELL Client (Beta).exe 2368 HELL Client (Beta).exe 2368 HELL Client (Beta).exe 2368 HELL Client (Beta).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HELL Client (Beta).exedescription pid process Token: SeDebugPrivilege 2368 HELL Client (Beta).exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6a73b2e83b8267fc1b40cd1c42f59116.exedescription pid process target process PID 2628 wrote to memory of 2368 2628 6a73b2e83b8267fc1b40cd1c42f59116.exe HELL Client (Beta).exe PID 2628 wrote to memory of 2368 2628 6a73b2e83b8267fc1b40cd1c42f59116.exe HELL Client (Beta).exe PID 2628 wrote to memory of 2368 2628 6a73b2e83b8267fc1b40cd1c42f59116.exe HELL Client (Beta).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a73b2e83b8267fc1b40cd1c42f59116.exe"C:\Users\Admin\AppData\Local\Temp\6a73b2e83b8267fc1b40cd1c42f59116.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\HELL Client (Beta).exe"C:\Users\Admin\Documents\HELL Client (Beta).exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\44\Process.txtFilesize
383B
MD52e76f75bc1433d1f80ee1923e75f8b0c
SHA10ecbffb68c0d15603b5f4ad3d6c4dedc82525d21
SHA256bc1a95f683b175bf594e350009b008db146e2f69f9d31fd95007275e90f20248
SHA5120afb96ca323ecd905ea5216bc21a1b840aa2791e4e2daaa60ed51d5d26b3eaec0d5330960a9d516b4925a2b68a1f888f01b0aad2dc5adc7b71b8c91a4fb3bcd2
-
C:\Users\Admin\Documents\HELL Client (Beta).exeFilesize
274KB
MD5d8e815c8a5a3b8faf325f65e61456613
SHA1465f915d9601df9da4f518c4717bba9e7c425870
SHA2561590226cbdb796bfb1638bd2295a7b169a6f1168cdcb2c0d17a6c7dc2ae5dfb4
SHA51228bfe46c5d16b432d2ac623157a80f9ecf40d81eb8e49249ce329611ef65145cd65c85ac63cc57a46489d43a27cc633aa6e63bcbf5f0f485adc7a3537b4ef310
-
memory/2368-9-0x0000000000A20000-0x0000000000A6A000-memory.dmpFilesize
296KB
-
memory/2368-11-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmpFilesize
9.9MB
-
memory/2368-12-0x000000001B2D0000-0x000000001B350000-memory.dmpFilesize
512KB
-
memory/2368-58-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmpFilesize
9.9MB
-
memory/2628-0-0x0000000000B90000-0x0000000000BB4000-memory.dmpFilesize
144KB
-
memory/2628-1-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmpFilesize
9.9MB
-
memory/2628-2-0x000000001B0C0000-0x000000001B140000-memory.dmpFilesize
512KB
-
memory/2628-10-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmpFilesize
9.9MB