Analysis
-
max time kernel
94s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
af48cbe6bc2be0d4fdbc89f9a6b89f06.exe
Resource
win7-20240221-en
General
-
Target
af48cbe6bc2be0d4fdbc89f9a6b89f06.exe
-
Size
1.2MB
-
MD5
af48cbe6bc2be0d4fdbc89f9a6b89f06
-
SHA1
d05426cdeae28903bac323656fb91ea2b5bfa56f
-
SHA256
01f415da08ef6afa3a98e884ae3224d2f9c18bf629ce31f464ed8873b7d618f5
-
SHA512
f912183fa13c38a6e71a180cc66b6b0897d894faac9858c231c3474e73eb58366bbb0cb881ce0d9038fa5a7066cfa185ecfea289b717e90755d6901b954356d2
-
SSDEEP
24576:4WFyaqH/njZbno7e2RIymxTWk1DzW8fK4OrkFI+XljVy:43ak/nR1YIymxCk1RQkFNXf
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/854455368012136470/_D98IufglZBza7HIm00b7IU7WVWr1ueKrUUmmqdfsFcgk7qacR9lRK_A2S3k1Vq4Yupc
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
af48cbe6bc2be0d4fdbc89f9a6b89f06.exepid process 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3728 4300 WerFault.exe af48cbe6bc2be0d4fdbc89f9a6b89f06.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
af48cbe6bc2be0d4fdbc89f9a6b89f06.exepid process 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
af48cbe6bc2be0d4fdbc89f9a6b89f06.exedescription pid process Token: SeDebugPrivilege 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
af48cbe6bc2be0d4fdbc89f9a6b89f06.exepid process 4300 af48cbe6bc2be0d4fdbc89f9a6b89f06.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af48cbe6bc2be0d4fdbc89f9a6b89f06.exe"C:\Users\Admin\AppData\Local\Temp\af48cbe6bc2be0d4fdbc89f9a6b89f06.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 12722⤵
- Program crash
PID:3728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4300 -ip 43001⤵PID:4348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
memory/4300-0-0x0000000000930000-0x0000000000CE6000-memory.dmpFilesize
3.7MB
-
memory/4300-2-0x0000000074720000-0x0000000074ED0000-memory.dmpFilesize
7.7MB
-
memory/4300-1-0x0000000000930000-0x0000000000CE6000-memory.dmpFilesize
3.7MB
-
memory/4300-3-0x0000000006370000-0x0000000006380000-memory.dmpFilesize
64KB
-
memory/4300-39-0x0000000000930000-0x0000000000CE6000-memory.dmpFilesize
3.7MB
-
memory/4300-40-0x0000000074720000-0x0000000074ED0000-memory.dmpFilesize
7.7MB