Analysis
-
max time kernel
16s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 10:17
Static task
static1
Behavioral task
behavioral1
Sample
4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe
Resource
win7-20240221-en
General
-
Target
4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe
-
Size
768KB
-
MD5
11cf5ca49a6c354eb005fb24bdf6b1f0
-
SHA1
c37b9b9fea73c95de363e8746ff305f4b23f0c28
-
SHA256
4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7
-
SHA512
ac91cb1e00db5eab4dd2253f745703d95ea4fe086c4289da62088f40ea727e4b54205d230b4282d38df006c3aebb2522058e2737c90d426abf900368c9c6dbba
-
SSDEEP
6144:jLPkIupKPUWqUzHwlyLqZucfo/4dQSP8AEcmqRYn/nCrK8cI1WaWQ0vOKO5DBHQp:3kXoDOUAuao/Kl9a9bQ+ZE1Qyu9
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2832 Kip1.exe 2356 Kip1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2832 set thread context of 2356 2832 Kip1.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2228 schtasks.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000ec71fc7beab4d18ea584e4edc0f2a3baa412dfb867df988235329aca1d9e8a00000000000e80000000020000200000003a7d2f3933862b6f4d19c49b0d04f3449e530d1aeb10bc0d2d57c481fc3eb75e20000000f1a8dae2d8353ea5fafb3a85b481565885a4d91888ff6b1b9cf5c9c13016f48d400000008d7f1bb3df501c4f18012a4b455dd373c7883e9fe2fea35b2f0f9dc9e718d0d27031b0775bbc0214469a329689378e5796a3b5a8a5919787456b1503a597cd51 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{58A8F0B1-F1A3-11EE-BD61-56D57A935C49} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60dded1cb085da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f70000000002000000000010660000000100002000000082aee9532a3aae87d14361e9a14fceeb47bc0b9dae0e92e36fa6bddff2b372b9000000000e8000000002000020000000e093a5fd4253f91bd475aa1f5c862bdaf9ebfa8c967e066ff7783abbc3cb111090000000651e7854c4fab08dd59556bf3ae052f647a22ed72eef2ec053883d6ff4fc89db4f5318a9a8b902ec65b5f8cfa600a734cbb9fdb5def805546e2349c4911614cdb544373169df464cba17caad810960e0ecdbb5ec7be87d3ec1405f3e80db84f8763bc0f31e16f59e15da7e63140dfcce1d7ec3b52d6c34266d0171befad6dedd722b7ae7cf5a7c84e1154239c3999df740000000de7b9e11d345ca850712ef75822d39c3a792957207593540a2b7708df45b0f884eedc496857d26ece8585477baa59aa676a5c8edbff8e1d70e60cb2186849ca6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2356 Kip1.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 2832 Kip1.exe 2832 Kip1.exe 2536 iexplore.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 2832 Kip1.exe 2832 Kip1.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 2832 Kip1.exe 2536 iexplore.exe 2536 iexplore.exe 2424 IEXPLORE.EXE 2424 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2228 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 28 PID 2868 wrote to memory of 2228 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 28 PID 2868 wrote to memory of 2228 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 28 PID 2868 wrote to memory of 2228 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 28 PID 2868 wrote to memory of 2460 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 30 PID 2868 wrote to memory of 2460 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 30 PID 2868 wrote to memory of 2460 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 30 PID 2868 wrote to memory of 2460 2868 4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe 30 PID 2568 wrote to memory of 2832 2568 taskeng.exe 33 PID 2568 wrote to memory of 2832 2568 taskeng.exe 33 PID 2568 wrote to memory of 2832 2568 taskeng.exe 33 PID 2568 wrote to memory of 2832 2568 taskeng.exe 33 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2832 wrote to memory of 2356 2832 Kip1.exe 34 PID 2536 wrote to memory of 2424 2536 iexplore.exe 38 PID 2536 wrote to memory of 2424 2536 iexplore.exe 38 PID 2536 wrote to memory of 2424 2536 iexplore.exe 38 PID 2536 wrote to memory of 2424 2536 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe"C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Eburin" /TR "\"C:\ProgramData\Kip1.exe\""2⤵
- Creates scheduled task(s)
PID:2228
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "Eburin"2⤵PID:2460
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {52FDED16-6C31-45C6-8192-2A4EF03124DB} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\ProgramData\Kip1.exeC:\ProgramData\Kip1.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:2556
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD5b211348f8784ea450e1364c053046a6c
SHA170df9df1ffe20e7eac54e424c2e76242696904d2
SHA256ca11b8ffbc782df697f34a26df930970b1ced2efbf89a34c506ae80a1cdc43bf
SHA512b69d29cb50fbc3872a0e372c28747d56c94c094af7fe80168dfa48656e309aba32a7e9c7f26df6b5d2f2420592e6b079fc3df517298f2456e40aec2d8e36573a
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50376bb0a61f46d2c74b295cad43e09c4
SHA15b428d69cbdbb895920a1d8b2466c2498837f85c
SHA256bbe58a7dd006ee00d268094aea9e69a5f248c7f47711b551ae990559b1363ef1
SHA512a1c249b9a85a42e7d86d249ce1cba2b7e72b77092a933d0eeaa560187974dce852081b4a87e3353ca5f5cfa04d919f0484dac681e914c8c36a09505c728349f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58e668103126f54ca684f36464e67a823
SHA19e5f4c3a2c0f6b03904154fade153942979d1123
SHA256fff1087149522e28e593cc7f4e8a5fed8cb3a95a91782bc3a533da041f51e38c
SHA5129a6a5fd54a352abd84f9b26f34f68005c864195036c200a4314396097d482362801472ef6223706d4d11de5cfd14e1b281fd379e14a0f47ac0db73a0c9bdef04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d1425384b5e488205af40100ada917d6
SHA199756ac0ef872024c8447d854b46d37774016d03
SHA256ada8cc427c2d2b06db0d9719119718f6663abae4edad317c6294037e3a9223eb
SHA5126eba2941c3eb83295c4fa1d7ba306a4bf2b1c05fa9739748e46e07bdc94f35db5df452e13ef45661a0374e256e4d56750a6fbf1cbae8fc011f81fe38e4252230
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5efe3733f8efa72723a8a6c492a076a2f
SHA14dc5063db39738c50bb1d37f5458cac2856e8741
SHA25665627342bc93a0b3eb4dff16b62e4aab22fe9d1a63b536749054218943e6b842
SHA512ff928e74ae7a581840495c12123b5b3a638438633aa17c4e4c9ec50869a83014d96b1ceda3003c1f9c15179be16ff0a918462b4a0c20f7b2d140b0a27554f1cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58109a0da0e1132e3d0d7c80ea3926093
SHA1c8b1f3a6e8c67c18c5da8edb5b02fe72e6c3f753
SHA25643bddfbdf80a67900833fef0b86cbe3014cd6b581b35fdd70cfd17e82c3bbda6
SHA5123f95511a7a9593f67f6c1fb75a28e2d5649e017107c9db52824c3001492dce1ee92484b65aa65e1c84be9839626d40a9e318a0260862b5af0c52cb7897a9bb3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD545bf1030ad9b7fdc811b59269d7e19b0
SHA1411925e6f4718b0018144e8eb0be5e8c87e3dacc
SHA25630c3cfae461b30658426ebc31b4e2aefa113099eca8c77f159b01b33fc75d1a1
SHA51264f3f8ffda53d3d99451fa0f6186d6f0544ad5ed4ca01c64e6a0f5b861ea3d8b2fd9bf6c22972b8842c1f022b1504b94d4e9ecd9b151894cc4ef546f822bb663
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e5ed4168771866f942f032c19fada68f
SHA1253e22206ac37e6453a4c22df3e9948dde8c8d8d
SHA256a5b05774c062b96b104343aa97e8082e48aabeb0b42dc60afcca7b0f5c22f519
SHA5122e0446ab3147426179a71ccf3dea7d2445974803be1c05f4037f64f054d1058e6f3472a8060596077b3ebde0fe820b705a147b200f6c664f148a220319efccd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56bfa45b0c4f3d344b63f4012048237eb
SHA12b1d61171c536bdddb7a3074910f9cbec7939145
SHA2561abdf98ca0703e0acb67fc2a41e44ff277ef2b840fdbc291484734770e7705f4
SHA5124d2655eb59420e9edcbca1b1fdc3d21e11c0f9607cef19b632d13fb0fae09f0d7bc56894adb2a0f28e3e88e5f8ba9af29c475ce4089a1599022e5f06488e5559
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a