Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-03-2024 11:43
General
-
Target
winPEASx64_ofs.exe
-
Size
2.1MB
-
MD5
b0536a4441b95468d2674589053e29f9
-
SHA1
f8ecd2ca72b5b01884902adc8766ea672a9c727c
-
SHA256
01ccc2ba607a0aa44e7bd6690dc5d93001ad70b03ad817142f7f9abb4c911abb
-
SHA512
f499ba9b7e777cebc8e4fe48de5cf8eb5c6a815c97dd2ba053790b68daeb67f5aa7be177ca15470ffbc06d29d034031fd0228865d26f4308252fb633478000bd
-
SSDEEP
24576:phS3u9fS4UlbZNd6CNUBZZP03pwkBCu2IH5aPUxqFiLP:pqmMBl8IH5aPU4iD
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\winPEASx64_ofs.exe"C:\Users\Admin\AppData\Local\Temp\winPEASx64_ofs.exe"1⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exe"systeminfo.exe"2⤵
- Gathers system information
-
-
C:\Windows\system32\netsh.exe"netsh" wlan show profiles2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
292KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
768KB
-
Filesize
768KB
-
Filesize
656KB
-
Filesize
60KB
-
Filesize
348KB
-
Filesize
60KB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
204KB
-
Filesize
40KB
-
Filesize
84KB
-
Filesize
52KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
368KB
-
Filesize
104KB
-
Filesize
36KB
-
Filesize
104KB
-
Filesize
368KB
-
Filesize
52KB
-
Filesize
36KB
-
Filesize
168KB
-
Filesize
204KB
-
Filesize
168KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
1.6MB
-
Filesize
80KB
-
Filesize
1.6MB
-
Filesize
376KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
456KB
-
Filesize
68KB
-
Filesize
456KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
2.0MB
-
Filesize
2.0MB