Analysis

  • max time kernel
    121s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/04/2024, 12:23

General

  • Target

    Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe

  • Size

    67KB

  • MD5

    ceb9e6829d00ad6e8f25b30d77aba83f

  • SHA1

    865128c3a9baee65deeab14f1fdc9a68969df6f4

  • SHA256

    664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1

  • SHA512

    18703d353319cbd049dfe3d19469eef2ef26615e44101eca43d1c7da515553d2c98e8098e5d2cfbf1c32984d77846dec320223ea4b8189ca9f64d570e7ea0ca2

  • SSDEEP

    1536:j+wPW51r8EHsL71ELMt/RYKiq4vo/1oHHbwr/Ye2WcMX6F8:j+wIiEH+u4/O1HHbwse2SXE8

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
    "C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN WinTask
      2⤵
        PID:2280
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\p.html
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2924
      • C:\Windows\system32\schtasks.exe
        "schtasks.exe" /query /TN WinTask
        2⤵
          PID:2552
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe /sc minute /mo 5
          2⤵
          • Creates scheduled task(s)
          PID:2488
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:1772
            • C:\Windows\system32\netsh.exe
              netsh wlan show profile
              3⤵
                PID:2308
              • C:\Windows\system32\findstr.exe
                findstr All
                3⤵
                  PID:2240
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1164
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  3⤵
                    PID:1596
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show networks mode=bssid
                    3⤵
                      PID:2864

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                        Filesize

                        68KB

                        MD5

                        29f65ba8e88c063813cc50a4ea544e93

                        SHA1

                        05a7040d5c127e68c25d81cc51271ffb8bef3568

                        SHA256

                        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                        SHA512

                        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        d6f62a3a55b5ebeeeaf95ced6d18bb4b

                        SHA1

                        b9e5aa709282ffe2449e9af6f5d2d9ce4647ac07

                        SHA256

                        519c9c878a95fc08624cf3021c60b0d35c023e3cc6f4e7fcd4bc74eb9d00ad3a

                        SHA512

                        56ddf41c3878e6225d23c139f5bfb1c8b33dfe2940ffa9a5afa5cfeeae5fab2a6371600afb4a1f4f1a4114c31f2a06817a98cf7b1783c09db693ccd5a2f289c5

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        203ed968e54727a998efbd47ff6132bd

                        SHA1

                        0d5bd57ef0fb3fe7b8c86ce1ec883a4c1655f3de

                        SHA256

                        4d424f5e6a76c61125d5f82a543ab94aa8f3b6fd3d3817a01ff795ac673aaaeb

                        SHA512

                        7b354da1c32ccae1e0666be643c1d5004a92c9a2e17a1c72ab4984b3f1f116727f0f33ab114f353f15bce78318374d8243906d30986aa82b50ee94457c2caa6b

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        0255ad40ac907ab578772e67070715f0

                        SHA1

                        02fa7244139392bd779578f9b2df7b136b8b540e

                        SHA256

                        fe25190c82f99f746688d79b0a9f9c0b9e46b06d764b4e8d7f40f5d373cf6331

                        SHA512

                        9fa8303db8fe6235764aefebd2dbf79dbfae27f4b8d167c73e170379bb17110eeb1e0f3a6adc27b25e14af74fd682d77ada3b91dbce206821bce3b3e370937e0

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        a817b3818c9f39865cb637d7e77885ad

                        SHA1

                        434fd76b408f9bd860c5bb3704afe595ca46ec4e

                        SHA256

                        b029faf0aaccb16205b2c5ea736e6da38185a4749b6218c2432099f2a80d752d

                        SHA512

                        8ef6d26cebe20a55c3964041f741de53210bed133dd3e531e6eed9f0880b5c5f1ac4a4f3d851da7e3fa38b83e2c23c05f4393a4259a096e6073cb223a801eb88

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        9adde5134e95231438986213afb6f46d

                        SHA1

                        46978163c31bb7a702e53b323d64e1db92886574

                        SHA256

                        80aa1620f48c541750723d1526fcb473569f4a177f33a5a571fccfed0271e5d1

                        SHA512

                        93d1bd7c5a85d02c7dde19d2fca78d1aae92f37973998a729fd75c8619bab84a08c765f08d04e2c39c04f8b2df989a7988769cbc457aa89733645227eaa1354b

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        549c9d27191f1c32a6f6d34f1a22cc6f

                        SHA1

                        c8471b784826e7c1036ef9646ff0e8b6ce5cfb19

                        SHA256

                        c14df1b5e30c605a21a141a742326fe84b8f4f4322d3d079bea510605cb9c8b3

                        SHA512

                        e6e73cc71aeb51ef2aad52be17ca73bbd95e097f11a92f2f1a14db0ebf05d2df75b7b087cbb292c3adf02dcd6ccbe14d845186e4faf7d42e2ac43a7a0738e479

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        7bb227591a4e1d2ce2f78bf3bcc19322

                        SHA1

                        74ea9db5f29d3c78fca3966f5d2a2dc03147bf0c

                        SHA256

                        0f707adb5e9873c90693639847367739a2a8ad5009d9f366330ebb5e0a14bcd8

                        SHA512

                        a1f066451171310cfd341f321d8f9ef094a65be312da342512fb4290d85e99f7f9cb4b66b743acefdc1415a235916a4eaa20016744a6d308dc5dbc9d89903010

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        2aaaa9c738c6dd16b7c88ab9813472ee

                        SHA1

                        bd20775dc7ed0befd464d8c6cc540f68821f8c89

                        SHA256

                        a96da63184c63ee2ca42d14427cdc62f534999b57d4e63caaacd6c048f8f07df

                        SHA512

                        0ee3aabb3699c562e7db60be1e69f0022d40645cb6b6a2d0a34ec40a4ad87fd607434c86184d581806cf95af1bd0a1f5f0e57fae1fcd0c8cf0390101d34eac08

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        a3f23bea379229746ee975c59ce0f170

                        SHA1

                        7a50252b6a25f13466c4ee49c8ea698d9f0598c1

                        SHA256

                        c0dba06cfa6ab4782d939f97d13bb7cccff9db74e8d0458eb2a0f88094f79f1d

                        SHA512

                        6ebe8a35eadab269116810a54e565d234b475a5ac6b60dabbdf850499ab686466c989aa20a84cba1b5088bdd13e348fc7b7d2167ef4c0c77691cd1a46b8e439a

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        770c2796f7c85990ecd78663979b14ee

                        SHA1

                        65816782d02c2ff38b0d3af24cbf48cc8faef4b6

                        SHA256

                        e660eb2983de0f736d905e04c00f1d3e92610b4331de043c565f9cb205551d11

                        SHA512

                        773afba40447630e532f1f034e0241ce823f71835af3d7c087be648ed9474116f19fa9773a87d211fc757f9300476e6ca502b37aa2b909648eaa20fa3c4a9b6d

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        5d898fdacd7215eb68358ffc51ca7dd8

                        SHA1

                        eda997e56ce8edb922b1439134d7b59016316d2e

                        SHA256

                        76d3a0f3739c0147c6d169aeb2f0e3ef5d70e557acd82a92a6f6e2f03861dc30

                        SHA512

                        8bd7d97b87cce933027965fffa62b1c33b76a687aae7c54eda171b8b9adfcf11b6f577265a48d1c4f7fd584acb778d40693cd533bcf0b159973482da710a9415

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        3adb47b1aa80661c8cdceeb6363c965f

                        SHA1

                        27e3687c6522c6b39ec65cc776e99135f8cba6e4

                        SHA256

                        81fa41826afb4303517ce79f5b696dceb90f0e6361ebadac0f0339266b94ed6f

                        SHA512

                        0f3871f55875e4622bdbf8181ed133f098cd28ab1d1256f088ddf03e3049366a3ad0a247b24cc75a6944bdebdc7006359422723104dfc6a85d60fb50bdf1af5a

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        41edf74f2e196a5b23ca4c112779ff77

                        SHA1

                        567c7039a4aa2658ca0d85aa22b1c4b71454505e

                        SHA256

                        a8812909a54022cff9ddfb0d45205f3a17b06e800c9ccc3ccfd2d9b61b985b98

                        SHA512

                        e79c2c3c978ddc908abb765a523f7cb57197faff413f2ee857e42380865f686e6e8b91a84662473bef2304d4b345b82a708453997361e081e082e2a54f8ea242

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        19495cad195480681e6ed240822b9d0d

                        SHA1

                        4efb5abde4fc57ee1fcafed54e5509a1a7e6623e

                        SHA256

                        66f626941c433dbb99bdc77482e19944391d999fc4482910fec55929e9470fee

                        SHA512

                        7aa48a739e35dc1b94f22b55e3b646dc634f8b5d23708376fffe95fd0106a21bdcd6316ed77f021aabc82f5cf407be2e11657113a259e0503bc48b76b3554433

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        95d7143e34b27b5f895bf668ac8527f2

                        SHA1

                        a7ba0c66474183ec50d92e34d089dc9465750fea

                        SHA256

                        9cd61612e871f14aadde8d5113c8f89e49033febdfc42496ee2b7e8f3899361f

                        SHA512

                        8b677d0056ee8f71fc9abb0501a376d4e2633ccf4582cf2732c5e4575dae02e61d7ff0e401f21e9179dbfba6b83683290bd410f028602cbefaf128e0803df9a2

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        383464e6c55401166e256f6eae1c37dd

                        SHA1

                        2d60ff2c112cfa9e275a3f385ad30e33b98bb5ac

                        SHA256

                        dd245490ef1f6cf305f3d067f06a5eb6888d53958ebf6858a69c23b24bab2f36

                        SHA512

                        b9ffc8b81d97c631b047d5de1f7ef6309afd3886a54f76acfc61fb43b3e612440e9a5d187ffe160b788a23cba93c8e4925e7e23df6668982b89af1ecd1d24a30

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        2b7647896d9c8d7916b8da13a0e04c80

                        SHA1

                        d150d9c0de2b10b41cc7ba46e8d03a805abfe178

                        SHA256

                        1ab72677fa6cbc1fd13faa6b6726654d741d28e8c3261027326fde238f8f77a0

                        SHA512

                        ad19f13d1a74a8419e1bde6fd84525b39b45627930f4d2321f4b5649124951dd4dba200b0710bb52f852beef0498f8bad3a0cd651379c294f1b534c681035c70

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        103601c828b3443e5f1b0ba7de0ead77

                        SHA1

                        71e3caf4fd380661a6825b0de4c05e5a9c9aa89b

                        SHA256

                        e4ad91e8a808a156a5a7c39d828480be641973c976527448c2086c6c182528be

                        SHA512

                        50b9144e5627e5670b7eceff93ce4e44db410728532fb40de435ea66aec2736a2b7ffef2b73531677f53c5afe072b207da9a5ca154f5ed7a9062afffb225c2e9

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        344B

                        MD5

                        a41211d403cf63e53180c8981739c112

                        SHA1

                        1f5b04fb4b0b0d468854b3b1d7fb8d89823662d1

                        SHA256

                        0effe26d35c67f4d7c9ce2d8361722673c089b534350d624780c573036c2c1b8

                        SHA512

                        ec83fb32e14b5f48cb9c8caf6fb6700d442d21811fa86d0fe96575539b08af0bb35de234ccbe75f84820af51d4ca99887dd3e4155646d02a407459d27e9836c0

                      • C:\Users\Admin\AppData\Local\Temp\Cab958C.tmp

                        Filesize

                        65KB

                        MD5

                        ac05d27423a85adc1622c714f2cb6184

                        SHA1

                        b0fe2b1abddb97837ea0195be70ab2ff14d43198

                        SHA256

                        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                        SHA512

                        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                      • C:\Users\Admin\AppData\Local\Temp\Tar968F.tmp

                        Filesize

                        177KB

                        MD5

                        435a9ac180383f9fa094131b173a2f7b

                        SHA1

                        76944ea657a9db94f9a4bef38f88c46ed4166983

                        SHA256

                        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                        SHA512

                        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                      • C:\Users\Admin\AppData\Local\Temp\p.html

                        Filesize

                        23KB

                        MD5

                        4e4349147d3cbbd440f7f3fac5866fa6

                        SHA1

                        563cf45b4395e64993a84665efcb49b3775505b1

                        SHA256

                        732efd30bfed7196474ada4a5ffabc01f116bb2b3c68c099991f291ab0c6e325

                        SHA512

                        7f2e285507d699b1362babcff71b56e1ddd56fb819a27007f492b2276a10648aef6e5880306a60e2d0265b57b999dfabfae0cb7909a64cf9eebc21f8fcb1a440

                      • C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\Browsers\Firefox\Bookmarks.txt

                        Filesize

                        105B

                        MD5

                        2e9d094dda5cdc3ce6519f75943a4ff4

                        SHA1

                        5d989b4ac8b699781681fe75ed9ef98191a5096c

                        SHA256

                        c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                        SHA512

                        d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                      • C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\System\Process.txt

                        Filesize

                        1KB

                        MD5

                        c8ebdf62cb27649e98698e75c49e3cfa

                        SHA1

                        09eae9b9482edec7ddbe0ce9f8c005c1d45be918

                        SHA256

                        bd7b68187d79249365d02c5934eaecf7a4e20070627dda7ba9cf5b376f0cee5a

                        SHA512

                        faf7eaea3ee9d3fdea43bcdef2531ae1b4d1707cc8ceeef03c6c66b8eae2d9c13eb5c02638653f0666c2000cb3902e9e93bf2d88fb27e330b3b7ff2714a31ea7

                      • C:\Users\Admin\AppData\Local\a28d98c875343736574c904932f9ec23\Admin@IKJSPGIM_en-US\System\Process.txt

                        Filesize

                        1KB

                        MD5

                        c738ea0e48edf8ba3e3fd8b518fbc23a

                        SHA1

                        73435ef5e933ade3496f1dbe2166552afe0c9a63

                        SHA256

                        c6ed8ace309f8c8f93dc9e4356f5d109d5104bb5405258de2bb420d7d2be04ae

                        SHA512

                        6e3c39d925dbbbeee579cdcf9956261ef1826617d34cb88eb55b34feca6caefa508e6d9fe59dde70699d2467cc7164e96f78869c73fed0f1af401cb2ccc50531

                      • memory/2120-11-0x0000000002540000-0x0000000002546000-memory.dmp

                        Filesize

                        24KB

                      • memory/2120-668-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/2120-0-0x000000013FE90000-0x000000013FEA4000-memory.dmp

                        Filesize

                        80KB

                      • memory/2120-1-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/2120-567-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/2120-2-0x000000001BC90000-0x000000001BD10000-memory.dmp

                        Filesize

                        512KB

                      • memory/2120-9-0x000000001BB10000-0x000000001BB52000-memory.dmp

                        Filesize

                        264KB

                      • memory/2120-10-0x000000001BBE0000-0x000000001BC46000-memory.dmp

                        Filesize

                        408KB

                      • memory/2120-90-0x000000001BC90000-0x000000001BD10000-memory.dmp

                        Filesize

                        512KB