Analysis
-
max time kernel
114s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20240226-en
General
-
Target
1.exe
-
Size
7.9MB
-
MD5
edad028afad7d751e95aa524b812fef4
-
SHA1
de399cbf29bd5ca367c723288c8cb55048c44446
-
SHA256
577066c5dd6d992ef8879cec6c006a820706d4199406efa2ac60e7191c8ed481
-
SHA512
ca23721b8e896830b7b0c1fedff87fff4e5d67b3dc796a851990692a2852b0c74cc44fd6a3d5a54dbd8849efd18cff07d8c15987fcd5e7d0da4abc96b99733c8
-
SSDEEP
98304:wWqqoMV8F4Tab14wQ2zLT0VbdGfNBODVG:dV4b11zdHE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4876 resource.exe -
Loads dropped DLL 1 IoCs
pid Process 780 1.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\resource.exe " resource.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 728 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4776 tasklist.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{91B6E63C-0284-43DD-BB60-48112E44023C} 1.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe 780 1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4876 resource.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 780 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4776 tasklist.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 780 wrote to memory of 4584 780 1.exe 92 PID 780 wrote to memory of 4584 780 1.exe 92 PID 780 wrote to memory of 728 780 1.exe 94 PID 780 wrote to memory of 728 780 1.exe 94 PID 780 wrote to memory of 1892 780 1.exe 96 PID 780 wrote to memory of 1892 780 1.exe 96 PID 1892 wrote to memory of 4776 1892 cmd.exe 98 PID 1892 wrote to memory of 4776 1892 cmd.exe 98 PID 780 wrote to memory of 4876 780 1.exe 103 PID 780 wrote to memory of 4876 780 1.exe 103 PID 780 wrote to memory of 1812 780 1.exe 104 PID 780 wrote to memory of 1812 780 1.exe 104 PID 1812 wrote to memory of 4456 1812 cmd.exe 106 PID 1812 wrote to memory of 4456 1812 cmd.exe 106 PID 1812 wrote to memory of 4328 1812 cmd.exe 107 PID 1812 wrote to memory of 4328 1812 cmd.exe 107 PID 1812 wrote to memory of 1124 1812 cmd.exe 108 PID 1812 wrote to memory of 1124 1812 cmd.exe 108 PID 780 wrote to memory of 3116 780 1.exe 109 PID 780 wrote to memory of 3116 780 1.exe 109 PID 3116 wrote to memory of 1036 3116 cmd.exe 111 PID 3116 wrote to memory of 1036 3116 cmd.exe 111 PID 3116 wrote to memory of 4352 3116 cmd.exe 112 PID 3116 wrote to memory of 4352 3116 cmd.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\schtasks.exe"schtasks" /Delete /TN Sandisk /F2⤵PID:4584
-
-
C:\Windows\system32\schtasks.exe"schtasks" /Create /SC ONLOGON /TN Sandisk /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:728
-
-
C:\Windows\system32\cmd.exe"cmd" /C tasklist2⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
-
C:\Users\Admin\AppData\Local\Temp\resource.exe"C:\Users\Admin\AppData\Local\Temp\resource.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:4876
-
-
C:\Windows\system32\cmd.exe"cmd" /C "chcp 65001 && netsh wlan show profile | findstr All"2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4456
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:4328
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:1124
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C "chcp 65001 && netsh wlan show networks mode=bssid"2⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1036
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵PID:4352
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1292 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:81⤵PID:3228
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5568aea1ddacf0948fc623e6695796e04
SHA169033dca65bbc0e4bc0ef3bddb81924871f58014
SHA256e6134f3dca8c2d281f1af92eaf2551a737a46d88ab6eec1c09ffd7d4719a4fff
SHA51260cef3fec3cfb1810328dc7eb8649e96f046ce1c9c7fc933dbfe8407a8bbd96767cc5388966f28c1346e77bd613cafc5bcb87c3c5fcdbbf2a8de8de19072a63c
-
Filesize
3.0MB
MD5398c0cabb362a8d4cc626812d3a9cec2
SHA119ba4ff142f01761ff8478bbc0f2a4461072c820
SHA256fab3200d5dbf7038d094d3c283244b212d3bb59c27da008ab26227bd642ee3cc
SHA512f5c9bb44b9ae292e61c9bd300da2fd12fcfa0f4cce16c85df7382baa67fe633229b3bbf2d847dfb544ae13feecdf1db655403f798175b04ef1129bba5fb7bca3