Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 10:17

General

  • Target

    4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe

  • Size

    768KB

  • MD5

    11cf5ca49a6c354eb005fb24bdf6b1f0

  • SHA1

    c37b9b9fea73c95de363e8746ff305f4b23f0c28

  • SHA256

    4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7

  • SHA512

    ac91cb1e00db5eab4dd2253f745703d95ea4fe086c4289da62088f40ea727e4b54205d230b4282d38df006c3aebb2522058e2737c90d426abf900368c9c6dbba

  • SSDEEP

    6144:jLPkIupKPUWqUzHwlyLqZucfo/4dQSP8AEcmqRYn/nCrK8cI1WaWQ0vOKO5DBHQp:3kXoDOUAuao/Kl9a9bQ+ZE1Qyu9

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe
    "C:\Users\Admin\AppData\Local\Temp\4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Eburin" /TR "\"C:\ProgramData\Kip1.exe\""
      2⤵
      • Creates scheduled task(s)
      PID:1928
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /run /tn "Eburin"
      2⤵
        PID:3144
    • C:\ProgramData\Kip1.exe
      C:\ProgramData\Kip1.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\ProgramData\Kip1.exe
        C:\ProgramData\Kip1.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2760
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3568
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3624
      • C:\ProgramData\Kip1.exe
        C:\ProgramData\Kip1.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\ProgramData\Kip1.exe
          C:\ProgramData\Kip1.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3860
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1552
      • C:\ProgramData\Kip1.exe
        C:\ProgramData\Kip1.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\ProgramData\Kip1.exe
          C:\ProgramData\Kip1.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1008
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3632 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1724

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Kip1.exe

              Filesize

              768KB

              MD5

              b211348f8784ea450e1364c053046a6c

              SHA1

              70df9df1ffe20e7eac54e424c2e76242696904d2

              SHA256

              ca11b8ffbc782df697f34a26df930970b1ced2efbf89a34c506ae80a1cdc43bf

              SHA512

              b69d29cb50fbc3872a0e372c28747d56c94c094af7fe80168dfa48656e309aba32a7e9c7f26df6b5d2f2420592e6b079fc3df517298f2456e40aec2d8e36573a

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

              Filesize

              1KB

              MD5

              7058bba1fe7cf158f7b8352fe16dbb9e

              SHA1

              272723ea31714b2d6b24f6869e243ddabe3c81a5

              SHA256

              0a80c0abbfed56bbe08856d78f27cb0065c6c2c4d245468d163456aa807ca69b

              SHA512

              3d754b4ee60018cd183cbe76d162e0f278670a7134fc710d2aa8c261d4d9594c3d7184a476fdf7242a6279fb76067d27055eb22dc70362e6cd2d1e3be6d89260

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15

              Filesize

              472B

              MD5

              366e3b3c898c75d56e53f479ea317c72

              SHA1

              ffe1032c77b966d535e6f2d123bf7ffdb07a285f

              SHA256

              5ddffbff56d1be3ca45392d13d09add4595472fe63aa951e2c01c12c5cd671c9

              SHA512

              342597a79602c28a21e11201d0cc704a7f28617e57008360083123bfb653cb4d545559804f721a7168242ec39bfcbeef08f24a2cb7b82b79ff35dbc5a3047378

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

              Filesize

              724B

              MD5

              ac89a852c2aaa3d389b2d2dd312ad367

              SHA1

              8f421dd6493c61dbda6b839e2debb7b50a20c930

              SHA256

              0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

              SHA512

              c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

              Filesize

              410B

              MD5

              b96180747867f3a28b508f6a573d0ad0

              SHA1

              4707fd28087000945afc14e0e86836a974d20aa6

              SHA256

              ddbcb56442af4244493f41babed256f4a42e9ce87a0afe008a2291cb1efd5f3f

              SHA512

              54decf47639b758ddeff695725429eaa1cd300fba5a4b673ab946b6aab18e4c57c98322ba7143a8138b3ff563704c0a5ad6823ac98be56f415018a2fac1e8834

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15

              Filesize

              402B

              MD5

              9b7bfe129ce053d02f2c458f00df3dad

              SHA1

              7f6f5d99aa3a81ff5761e949c6a2a35fd8556f28

              SHA256

              7dff6fe786525dd022fda0e2a53af1683ebfed6ebb689c231eaa4fc1a2684751

              SHA512

              31ed89164f1650cec655f215b4a2b8061d52d2725ad7016f57053b4d0848e992a7eb48d555d843df0648983744d47b5e7af3dc039d7750524e2ac1755bc81e64

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

              Filesize

              392B

              MD5

              5fdc94521c78d57b21977030735a68f0

              SHA1

              7f3cb3a6b89044fa0f8b006bffbc8ccd932f5549

              SHA256

              54cc59370304e1cbfec3518ff3d8d4e675ed2d0bf811a7391dcc66ab8a14f3db

              SHA512

              4f85f1ff50d3ec6e6aa4ee9abf56c4276f913cc356dcc97f0db19c1823b1eae2659b97216a92e6c681144f6b0c16118332cefae76268e56418a26b76f9aac127

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3Z27RA7P\NewErrorPageTemplate[1]

              Filesize

              1KB

              MD5

              dfeabde84792228093a5a270352395b6

              SHA1

              e41258c9576721025926326f76063c2305586f76

              SHA256

              77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

              SHA512

              e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8XRBHXP1\httpErrorPagesScripts[1]

              Filesize

              11KB

              MD5

              9234071287e637f85d721463c488704c

              SHA1

              cca09b1e0fba38ba29d3972ed8dcecefdef8c152

              SHA256

              65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

              SHA512

              87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FILN3D3Q\dnserror[1]

              Filesize

              2KB

              MD5

              2dc61eb461da1436f5d22bce51425660

              SHA1

              e1b79bcab0f073868079d807faec669596dc46c1

              SHA256

              acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

              SHA512

              a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FILN3D3Q\down[1]

              Filesize

              748B

              MD5

              c4f558c4c8b56858f15c09037cd6625a

              SHA1

              ee497cc061d6a7a59bb66defea65f9a8145ba240

              SHA256

              39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

              SHA512

              d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FILN3D3Q\errorPageStrings[1]

              Filesize

              4KB

              MD5

              d65ec06f21c379c87040b83cc1abac6b

              SHA1

              208d0a0bb775661758394be7e4afb18357e46c8b

              SHA256

              a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

              SHA512

              8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

            • C:\Users\Admin\AppData\Local\Temp\CABD0A.tmp

              Filesize

              8B

              MD5

              7b5b6c7bf41e6055abd4e74476e08575

              SHA1

              5c05d3a68f69258d236f6d9677cc0a42e399e7cc

              SHA256

              2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f

              SHA512

              36ef55c7b0beaa825ab7b3a509bdd6154be0039bf5add56232ecda2237c277f4fed64235f809cca1dc2370da4664d8c2013a9f3ea8fb6972238ef0b10a6790e6

            • C:\Users\Admin\AppData\Local\Temp\~DF8429EA5809C4B4A7.TMP

              Filesize

              16KB

              MD5

              8178f17a7ce5ad59a966505912214938

              SHA1

              33b9f94cc3bcf91dc5003873d6b3e1bf400db6c0

              SHA256

              217bde5771b12ad081e395812d6a909ca478a73560bb2a1dfde02c71abc84775

              SHA512

              1b9eed011650fb1abc60f77a1d864b18662d44ded998d024603b5cf1e924da4ca8b94f233a13bbda037d46fbc69bc08e6090bab6a8def5e5650210051cec4b11

            • memory/1008-160-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/1008-208-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2760-12-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2760-11-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2760-8-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/2760-69-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/3564-2-0x0000000077281000-0x00000000773A1000-memory.dmp

              Filesize

              1.1MB

            • memory/3860-145-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/3860-91-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

            • memory/3860-90-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB