Analysis
-
max time kernel
152s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 11:19
Behavioral task
behavioral1
Sample
d0be347179715db77e40ef4a50439da2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d0be347179715db77e40ef4a50439da2.exe
Resource
win10v2004-20240226-en
General
-
Target
d0be347179715db77e40ef4a50439da2.exe
-
Size
946KB
-
MD5
d0be347179715db77e40ef4a50439da2
-
SHA1
4b94bc600735eb5eed60a471dd788e7d0e2586b8
-
SHA256
767c367613633db9798a37c366a0166e132bef1ebd74b7a51c28711d42bb1e83
-
SHA512
2d56ead24db04d054fac5c737acb99449cb9317ff3865db89d7dded4d72cfa702d129850504d11b1abe85367cad5f40c0524d1b6fab86b33aa7ae238b7ea8e40
-
SSDEEP
24576:wSW+8M9O1qYOrrfGkFpuJieh6NvZKPubpeM:U9NPOrKkWJieh65Zte
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
defender.exepid process 2984 defender.exe -
Loads dropped DLL 2 IoCs
Processes:
d0be347179715db77e40ef4a50439da2.exepid process 2372 d0be347179715db77e40ef4a50439da2.exe 2372 d0be347179715db77e40ef4a50439da2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x00000000006E4000-memory.dmp upx \ProgramData\defender.exe upx behavioral1/memory/2984-20-0x0000000000400000-0x0000000000A0E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
defender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malware Protection = "C:\\ProgramData\\defender.exe" defender.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
defender.exedescription ioc process File opened (read-only) \??\K: defender.exe File opened (read-only) \??\N: defender.exe File opened (read-only) \??\V: defender.exe File opened (read-only) \??\L: defender.exe File opened (read-only) \??\O: defender.exe File opened (read-only) \??\Q: defender.exe File opened (read-only) \??\R: defender.exe File opened (read-only) \??\T: defender.exe File opened (read-only) \??\U: defender.exe File opened (read-only) \??\W: defender.exe File opened (read-only) \??\X: defender.exe File opened (read-only) \??\G: defender.exe File opened (read-only) \??\H: defender.exe File opened (read-only) \??\I: defender.exe File opened (read-only) \??\P: defender.exe File opened (read-only) \??\Y: defender.exe File opened (read-only) \??\E: defender.exe File opened (read-only) \??\J: defender.exe File opened (read-only) \??\M: defender.exe File opened (read-only) \??\S: defender.exe File opened (read-only) \??\Z: defender.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
defender.exedescription ioc process File opened for modification \??\PhysicalDrive0 defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d0be347179715db77e40ef4a50439da2.exedefender.exepid process 2372 d0be347179715db77e40ef4a50439da2.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
d0be347179715db77e40ef4a50439da2.exepid process 2372 d0be347179715db77e40ef4a50439da2.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
defender.exepid process 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
defender.exepid process 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe 2984 defender.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
defender.exepid process 2984 defender.exe 2984 defender.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d0be347179715db77e40ef4a50439da2.exedescription pid process target process PID 2372 wrote to memory of 2984 2372 d0be347179715db77e40ef4a50439da2.exe defender.exe PID 2372 wrote to memory of 2984 2372 d0be347179715db77e40ef4a50439da2.exe defender.exe PID 2372 wrote to memory of 2984 2372 d0be347179715db77e40ef4a50439da2.exe defender.exe PID 2372 wrote to memory of 2984 2372 d0be347179715db77e40ef4a50439da2.exe defender.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0be347179715db77e40ef4a50439da2.exe"C:\Users\Admin\AppData\Local\Temp\d0be347179715db77e40ef4a50439da2.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\defender.exeC:\ProgramData\defender.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\defender.exeFilesize
860KB
MD5aa4e5c7054d22802f163c22997a71c1e
SHA1d3e6aa99876fa005d2ab78a3759ef4e60f8829a0
SHA256f54df95030a04f6bf2902f12176d1d4874a36b0eba39ac404d14705afc9711ef
SHA512382ae78fd41c42fe110e296c0af6c58c4a5153416f12b882811832c8bbc0aa6025b10be631a8ea1daea1f33fc95480b1bd4c1c893d7d7870e1ea58f281cfb102
-
memory/2372-0-0x0000000000400000-0x00000000006E4000-memory.dmpFilesize
2.9MB
-
memory/2372-2-0x0000000000B30000-0x0000000000C30000-memory.dmpFilesize
1024KB
-
memory/2372-3-0x0000000000400000-0x00000000006E4000-memory.dmpFilesize
2.9MB
-
memory/2372-6-0x00000000770D0000-0x00000000770D1000-memory.dmpFilesize
4KB
-
memory/2372-9-0x0000000000400000-0x00000000006E4000-memory.dmpFilesize
2.9MB
-
memory/2372-13-0x0000000000330000-0x0000000000340000-memory.dmpFilesize
64KB
-
memory/2372-19-0x0000000002AA0000-0x00000000030AE000-memory.dmpFilesize
6.1MB
-
memory/2984-30-0x0000000000B10000-0x0000000000C10000-memory.dmpFilesize
1024KB
-
memory/2984-35-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-23-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-25-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-26-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-27-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2984-28-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-29-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-20-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-31-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-32-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-33-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-34-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2984-22-0x0000000000B10000-0x0000000000C10000-memory.dmpFilesize
1024KB
-
memory/2984-37-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-38-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-39-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-40-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-41-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-42-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-44-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-45-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-46-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2984-47-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB