Analysis

  • max time kernel
    114s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 18:56

General

  • Target

    1.exe

  • Size

    7.9MB

  • MD5

    edad028afad7d751e95aa524b812fef4

  • SHA1

    de399cbf29bd5ca367c723288c8cb55048c44446

  • SHA256

    577066c5dd6d992ef8879cec6c006a820706d4199406efa2ac60e7191c8ed481

  • SHA512

    ca23721b8e896830b7b0c1fedff87fff4e5d67b3dc796a851990692a2852b0c74cc44fd6a3d5a54dbd8849efd18cff07d8c15987fcd5e7d0da4abc96b99733c8

  • SSDEEP

    98304:wWqqoMV8F4Tab14wQ2zLT0VbdGfNBODVG:dV4b11zdHE

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\system32\schtasks.exe
      "schtasks" /Delete /TN Sandisk /F
      2⤵
        PID:4584
      • C:\Windows\system32\schtasks.exe
        "schtasks" /Create /SC ONLOGON /TN Sandisk /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe" /RL HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:728
      • C:\Windows\system32\cmd.exe
        "cmd" /C tasklist
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4776
      • C:\Users\Admin\AppData\Local\Temp\resource.exe
        "C:\Users\Admin\AppData\Local\Temp\resource.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        PID:4876
      • C:\Windows\system32\cmd.exe
        "cmd" /C "chcp 65001 && netsh wlan show profile | findstr All"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:4456
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            3⤵
              PID:4328
            • C:\Windows\system32\findstr.exe
              findstr All
              3⤵
                PID:1124
            • C:\Windows\system32\cmd.exe
              "cmd" /C "chcp 65001 && netsh wlan show networks mode=bssid"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3116
              • C:\Windows\system32\chcp.com
                chcp 65001
                3⤵
                  PID:1036
                • C:\Windows\system32\netsh.exe
                  netsh wlan show networks mode=bssid
                  3⤵
                    PID:4352
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1292 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3228

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\escapi.dll

                        Filesize

                        30KB

                        MD5

                        568aea1ddacf0948fc623e6695796e04

                        SHA1

                        69033dca65bbc0e4bc0ef3bddb81924871f58014

                        SHA256

                        e6134f3dca8c2d281f1af92eaf2551a737a46d88ab6eec1c09ffd7d4719a4fff

                        SHA512

                        60cef3fec3cfb1810328dc7eb8649e96f046ce1c9c7fc933dbfe8407a8bbd96767cc5388966f28c1346e77bd613cafc5bcb87c3c5fcdbbf2a8de8de19072a63c

                      • C:\Users\Admin\AppData\Local\Temp\resource.exe

                        Filesize

                        3.0MB

                        MD5

                        398c0cabb362a8d4cc626812d3a9cec2

                        SHA1

                        19ba4ff142f01761ff8478bbc0f2a4461072c820

                        SHA256

                        fab3200d5dbf7038d094d3c283244b212d3bb59c27da008ab26227bd642ee3cc

                        SHA512

                        f5c9bb44b9ae292e61c9bd300da2fd12fcfa0f4cce16c85df7382baa67fe633229b3bbf2d847dfb544ae13feecdf1db655403f798175b04ef1129bba5fb7bca3