Analysis
-
max time kernel
36s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 11:12
Behavioral task
behavioral1
Sample
Insidious.exe
Resource
win7-20231215-en
General
-
Target
Insidious.exe
-
Size
303KB
-
MD5
cd1ac5775cfc183e6ebfb9397f4ae3c7
-
SHA1
8937b324e8c47f3b858d6e56c3705a96d5cf5d40
-
SHA256
9b7e5212ceb95912f0776f8bd48eac1b1098e9807e8f27291a3ffdd592c4e974
-
SHA512
d26c95bb9ccad0b1b3195e23dfc5b9e8cfeba458c0605ddefae3d807545b024a09d70aeb6d6f0c9d04472124b0ff7f28744ca534f107be2a72c0ab4366826c78
-
SSDEEP
6144:YjFT6MDdbICydeB0iG54G4S+ZoHi63mA1D0LGC:YjzQ54G4SuoCU1DBC
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1209815343875235840/T1sUleC88lxasrU1EpgCYPjJI1NBPf57Wdr3z0H9p3gJmNIVwOVbhzTSCb3qRBCKKNRj
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 freegeoip.app 8 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Insidious.exepid process 4416 Insidious.exe 4416 Insidious.exe 4416 Insidious.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Insidious.exedescription pid process Token: SeDebugPrivilege 4416 Insidious.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4416-0-0x0000020819CD0000-0x0000020819D22000-memory.dmpFilesize
328KB
-
memory/4416-32-0x00007FFC37D90000-0x00007FFC38851000-memory.dmpFilesize
10.8MB
-
memory/4416-33-0x0000020834350000-0x0000020834360000-memory.dmpFilesize
64KB
-
memory/4416-34-0x00007FFC37D90000-0x00007FFC38851000-memory.dmpFilesize
10.8MB