Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe
Resource
win10v2004-20240226-en
General
-
Target
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe
-
Size
45KB
-
MD5
8ac70aaa6dc9e8b2aa5c43be0f8ba5f2
-
SHA1
a35ae4ce799229d4fb3956512d1eba0b543dc8bf
-
SHA256
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb
-
SHA512
c0e86cd036e93d3435340f4f980f6c19a3111b5521579b675de1af410438bed0e2fe2b44216daa8a6ce4f23f2f8ea1d7d0b815b66d3e1736b30584e5fdcacd96
-
SSDEEP
768:gcB0KsewZ7UFRZa9R0wHuOvieuXXgyTXx7xTDkh6W0rt5fLB8J6aL0vBYHiSG0TV:CSEuXXgyzxNS6W0rtdB8JruBYHNG0x
Malware Config
Signatures
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2980-0-0x0000000000FB0000-0x0000000000FC2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Executes dropped EXE 1 IoCs
Processes:
NFbMAPE.exepid Process 2440 NFbMAPE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Malware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\NFbMAPE.exe" c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exedescription pid Process Token: SeDebugPrivilege 2980 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.execsc.exedescription pid Process procid_target PID 2980 wrote to memory of 2596 2980 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 29 PID 2980 wrote to memory of 2596 2980 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 29 PID 2980 wrote to memory of 2596 2980 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 29 PID 2596 wrote to memory of 2572 2596 csc.exe 31 PID 2596 wrote to memory of 2572 2596 csc.exe 31 PID 2596 wrote to memory of 2572 2596 csc.exe 31 PID 2980 wrote to memory of 2440 2980 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 32 PID 2980 wrote to memory of 2440 2980 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 32 PID 2980 wrote to memory of 2440 2980 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2yf4yukc\2yf4yukc.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC44A9FDFF959F4A35A98391B3AA3E7F5A.TMP"3⤵PID:2572
-
-
-
C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe"C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe"2⤵
- Executes dropped EXE
PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD57f25406f9ea45178acc8791bebb1b4bd
SHA18609dc41bb45b1cef588894b188f659395b0ab13
SHA256551565b2be7a45f0a5b1023dfa5ec62067af1b9266ee4ab927ba1c95b99f3443
SHA512a55673b7cdee2122d30aaab9d018b715370747bed0d4039cf87c7e5866ffa427b62a1fc9dfdbd65feee018c8aac9e3f3584e47efa8ea3d6844e19b2b4797e255
-
Filesize
1KB
MD5bc94b1144254a77b4bc62b78f5f1126c
SHA1ae3764258a98e25d6d560a3e32a1caa9dec54fdb
SHA256f907b1dcdcfaf9cdf538ac0bb1b31782f8fcf159a65bb33158124c4b9360a180
SHA512b32a1edd58c86325d42e46b21d7a9f185d3adfd03c667ca488c0c319f8e7d2dd3e6b23c6ebee455ce8e69c76d6e83b7a2dc74933dea8e821a61dab0d1abd6769
-
Filesize
7KB
MD5f9b39b0739c6b5286638cd8b79317202
SHA11b403c538536b2fdfc1142a528ce9b69564bf9e5
SHA25660e6b02bff4ef14ef1c6e3197f147efa3fc7f545a8a437dcda3267788c8b53e6
SHA512da8ca575ead117cccaab328ab2a7a6d778764254a8e21637f4d10a175fed8a076cbe7145307eaa617e047ec3f9ed0acf4227cf5015c626684c74b6530b172934
-
Filesize
210B
MD5a3a8556aaa30abe6312ecded54e4e088
SHA13403831f213f9e5fe96344a80aa5ab1d32302820
SHA2560a825ad448f2b2045cb442794a9641f9f58f1fa9269ac7d6c0c7f14962aedec3
SHA512543f5df30679ba6dc3f329f25af79fba62a2a3c08f90add51d2f196a8cf6605bf6af09f9ac8b0b8583f6e4e612c60d2aa9e0b2081ba86ae3f455bd342b78a14b
-
Filesize
1KB
MD5201b358b9eba7b67c454b4670fc37bf8
SHA1620fb9bced83450e6f27511b8daa914e6287a427
SHA256173f4b47b48f167c71bd61a75302f144e6ddc1a2e57471ef0883fa2e7352db86
SHA5125c4efef4776125e3c542b22c321f08a7cb17b3a3cf067e595366cd75cce3839643648042f6c6f2dc2a82efadbbb78ddfceb934a24da64d7e6b0d2263146ba010