Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 07:22
Behavioral task
behavioral1
Sample
ae00d8aba1bc630d104d994f352a7c7a.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ae00d8aba1bc630d104d994f352a7c7a.exe
Resource
win10v2004-20240226-en
General
-
Target
ae00d8aba1bc630d104d994f352a7c7a.exe
-
Size
54KB
-
MD5
ae00d8aba1bc630d104d994f352a7c7a
-
SHA1
fd0953cda3a52c063753225dff2a487ded3e93c1
-
SHA256
18ec11110a97164864aa5c9ca7fd45cd27fc14fc1be5d85e1cf6cd5f61be64c0
-
SHA512
48a2f77a88b97cbf60e8e087318daa0b3266a084c1f9162ac87203303de01fa9d841b7ec5c49e81c14d3eb14011bec89362d8e56d40f71e18cd028f6eb21c5fa
-
SSDEEP
1536:ACfo6MVmM1j40g73IPfo2SKL0iHsTzsCY:xo3P40gTQ8TAC
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ae00d8aba1bc630d104d994f352a7c7a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2108 set thread context of 2876 2108 ae00d8aba1bc630d104d994f352a7c7a.exe 94 -
Program crash 3 IoCs
pid pid_target Process procid_target 4944 2108 WerFault.exe 53 4744 2108 WerFault.exe 53 824 2108 WerFault.exe 53 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2876 ae00d8aba1bc630d104d994f352a7c7a.exe 2876 ae00d8aba1bc630d104d994f352a7c7a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2876 ae00d8aba1bc630d104d994f352a7c7a.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2876 2108 ae00d8aba1bc630d104d994f352a7c7a.exe 94 PID 2108 wrote to memory of 2876 2108 ae00d8aba1bc630d104d994f352a7c7a.exe 94 PID 2108 wrote to memory of 2876 2108 ae00d8aba1bc630d104d994f352a7c7a.exe 94 PID 2108 wrote to memory of 2876 2108 ae00d8aba1bc630d104d994f352a7c7a.exe 94 PID 2108 wrote to memory of 2876 2108 ae00d8aba1bc630d104d994f352a7c7a.exe 94 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ae00d8aba1bc630d104d994f352a7c7a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae00d8aba1bc630d104d994f352a7c7a.exe"C:\Users\Admin\AppData\Local\Temp\ae00d8aba1bc630d104d994f352a7c7a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 2802⤵
- Program crash
PID:4944
-
-
C:\Users\Admin\AppData\Local\Temp\ae00d8aba1bc630d104d994f352a7c7a.exeC:\Users\Admin\AppData\Local\Temp\ae00d8aba1bc630d104d994f352a7c7a.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 3762⤵
- Program crash
PID:4744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 4042⤵
- Program crash
PID:824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2108 -ip 21081⤵PID:2840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2108 -ip 21081⤵PID:1604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2108 -ip 21081⤵PID:2320