Analysis

  • max time kernel
    16s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/04/2024, 10:17

General

  • Target

    4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe

  • Size

    768KB

  • MD5

    11cf5ca49a6c354eb005fb24bdf6b1f0

  • SHA1

    c37b9b9fea73c95de363e8746ff305f4b23f0c28

  • SHA256

    4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7

  • SHA512

    ac91cb1e00db5eab4dd2253f745703d95ea4fe086c4289da62088f40ea727e4b54205d230b4282d38df006c3aebb2522058e2737c90d426abf900368c9c6dbba

  • SSDEEP

    6144:jLPkIupKPUWqUzHwlyLqZucfo/4dQSP8AEcmqRYn/nCrK8cI1WaWQ0vOKO5DBHQp:3kXoDOUAuao/Kl9a9bQ+ZE1Qyu9

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe
    "C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Eburin" /TR "\"C:\ProgramData\Kip1.exe\""
      2⤵
      • Creates scheduled task(s)
      PID:2228
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /run /tn "Eburin"
      2⤵
        PID:2460
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {52FDED16-6C31-45C6-8192-2A4EF03124DB} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\ProgramData\Kip1.exe
        C:\ProgramData\Kip1.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\ProgramData\Kip1.exe
          C:\ProgramData\Kip1.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2356
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2556
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2424

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Kip1.exe

              Filesize

              768KB

              MD5

              b211348f8784ea450e1364c053046a6c

              SHA1

              70df9df1ffe20e7eac54e424c2e76242696904d2

              SHA256

              ca11b8ffbc782df697f34a26df930970b1ced2efbf89a34c506ae80a1cdc43bf

              SHA512

              b69d29cb50fbc3872a0e372c28747d56c94c094af7fe80168dfa48656e309aba32a7e9c7f26df6b5d2f2420592e6b079fc3df517298f2456e40aec2d8e36573a

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              0376bb0a61f46d2c74b295cad43e09c4

              SHA1

              5b428d69cbdbb895920a1d8b2466c2498837f85c

              SHA256

              bbe58a7dd006ee00d268094aea9e69a5f248c7f47711b551ae990559b1363ef1

              SHA512

              a1c249b9a85a42e7d86d249ce1cba2b7e72b77092a933d0eeaa560187974dce852081b4a87e3353ca5f5cfa04d919f0484dac681e914c8c36a09505c728349f9

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              8e668103126f54ca684f36464e67a823

              SHA1

              9e5f4c3a2c0f6b03904154fade153942979d1123

              SHA256

              fff1087149522e28e593cc7f4e8a5fed8cb3a95a91782bc3a533da041f51e38c

              SHA512

              9a6a5fd54a352abd84f9b26f34f68005c864195036c200a4314396097d482362801472ef6223706d4d11de5cfd14e1b281fd379e14a0f47ac0db73a0c9bdef04

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              d1425384b5e488205af40100ada917d6

              SHA1

              99756ac0ef872024c8447d854b46d37774016d03

              SHA256

              ada8cc427c2d2b06db0d9719119718f6663abae4edad317c6294037e3a9223eb

              SHA512

              6eba2941c3eb83295c4fa1d7ba306a4bf2b1c05fa9739748e46e07bdc94f35db5df452e13ef45661a0374e256e4d56750a6fbf1cbae8fc011f81fe38e4252230

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              efe3733f8efa72723a8a6c492a076a2f

              SHA1

              4dc5063db39738c50bb1d37f5458cac2856e8741

              SHA256

              65627342bc93a0b3eb4dff16b62e4aab22fe9d1a63b536749054218943e6b842

              SHA512

              ff928e74ae7a581840495c12123b5b3a638438633aa17c4e4c9ec50869a83014d96b1ceda3003c1f9c15179be16ff0a918462b4a0c20f7b2d140b0a27554f1cf

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              8109a0da0e1132e3d0d7c80ea3926093

              SHA1

              c8b1f3a6e8c67c18c5da8edb5b02fe72e6c3f753

              SHA256

              43bddfbdf80a67900833fef0b86cbe3014cd6b581b35fdd70cfd17e82c3bbda6

              SHA512

              3f95511a7a9593f67f6c1fb75a28e2d5649e017107c9db52824c3001492dce1ee92484b65aa65e1c84be9839626d40a9e318a0260862b5af0c52cb7897a9bb3b

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              45bf1030ad9b7fdc811b59269d7e19b0

              SHA1

              411925e6f4718b0018144e8eb0be5e8c87e3dacc

              SHA256

              30c3cfae461b30658426ebc31b4e2aefa113099eca8c77f159b01b33fc75d1a1

              SHA512

              64f3f8ffda53d3d99451fa0f6186d6f0544ad5ed4ca01c64e6a0f5b861ea3d8b2fd9bf6c22972b8842c1f022b1504b94d4e9ecd9b151894cc4ef546f822bb663

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              e5ed4168771866f942f032c19fada68f

              SHA1

              253e22206ac37e6453a4c22df3e9948dde8c8d8d

              SHA256

              a5b05774c062b96b104343aa97e8082e48aabeb0b42dc60afcca7b0f5c22f519

              SHA512

              2e0446ab3147426179a71ccf3dea7d2445974803be1c05f4037f64f054d1058e6f3472a8060596077b3ebde0fe820b705a147b200f6c664f148a220319efccd6

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              6bfa45b0c4f3d344b63f4012048237eb

              SHA1

              2b1d61171c536bdddb7a3074910f9cbec7939145

              SHA256

              1abdf98ca0703e0acb67fc2a41e44ff277ef2b840fdbc291484734770e7705f4

              SHA512

              4d2655eb59420e9edcbca1b1fdc3d21e11c0f9607cef19b632d13fb0fae09f0d7bc56894adb2a0f28e3e88e5f8ba9af29c475ce4089a1599022e5f06488e5559

            • C:\Users\Admin\AppData\Local\Temp\Cab9435.tmp

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\Local\Temp\Tar9438.tmp

              Filesize

              171KB

              MD5

              9c0c641c06238516f27941aa1166d427

              SHA1

              64cd549fb8cf014fcd9312aa7a5b023847b6c977

              SHA256

              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

              SHA512

              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

            • C:\Users\Admin\AppData\Local\Temp\Tar9597.tmp

              Filesize

              177KB

              MD5

              435a9ac180383f9fa094131b173a2f7b

              SHA1

              76944ea657a9db94f9a4bef38f88c46ed4166983

              SHA256

              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

              SHA512

              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

            • memory/2356-76-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2356-14-0x0000000000220000-0x0000000000222000-memory.dmp

              Filesize

              8KB

            • memory/2356-12-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2356-11-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2356-8-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2868-2-0x0000000077C50000-0x0000000077D26000-memory.dmp

              Filesize

              856KB