Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe
Resource
win10v2004-20240226-en
General
-
Target
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe
-
Size
45KB
-
MD5
8ac70aaa6dc9e8b2aa5c43be0f8ba5f2
-
SHA1
a35ae4ce799229d4fb3956512d1eba0b543dc8bf
-
SHA256
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb
-
SHA512
c0e86cd036e93d3435340f4f980f6c19a3111b5521579b675de1af410438bed0e2fe2b44216daa8a6ce4f23f2f8ea1d7d0b815b66d3e1736b30584e5fdcacd96
-
SSDEEP
768:gcB0KsewZ7UFRZa9R0wHuOvieuXXgyTXx7xTDkh6W0rt5fLB8J6aL0vBYHiSG0TV:CSEuXXgyzxNS6W0rtdB8JruBYHNG0x
Malware Config
Signatures
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2664-0-0x000002244AEC0000-0x000002244AED2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe -
Executes dropped EXE 1 IoCs
Processes:
NFbMAPE.exepid Process 4536 NFbMAPE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anti-Malware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\NFbMAPE.exe" c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exedescription pid Process Token: SeDebugPrivilege 2664 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.execsc.exedescription pid Process procid_target PID 2664 wrote to memory of 2696 2664 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 88 PID 2664 wrote to memory of 2696 2664 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 88 PID 2696 wrote to memory of 4888 2696 csc.exe 90 PID 2696 wrote to memory of 4888 2696 csc.exe 90 PID 2664 wrote to memory of 4536 2664 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 93 PID 2664 wrote to memory of 4536 2664 c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"C:\Users\Admin\AppData\Local\Temp\c94b04f2c1bffdfc3052c8cde5feb96005ca25cf55ea4d30253bf966020f6cdb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3qikdzx2\3qikdzx2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53FC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2BCFFBB8FC3142A3A467CF60D98B8E47.TMP"3⤵PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe"C:\Users\Admin\AppData\Local\Temp\NFbMAPE.exe"2⤵
- Executes dropped EXE
PID:4536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD51199030d12ea13d836edfbbebacf706d
SHA183afec6e941dc1c9392a773c7df0ee5f1d2eac08
SHA256878b00faccdbda0e5ead3bff8d5b9cc5fbf79d2c5a3715bd03590136af31f2b4
SHA512649d13f7dab2efdec896ed88a9f2e4853af8ba8ca471b982c8fdabf3a21c38f83d6cadd6a782d2fabc4f41103e8b0f70245ff4b0129353418301f85c083a2f9c
-
Filesize
1KB
MD5a276b49e0d474d209ccb136a5bd6f2f6
SHA10b303885c85f08c7f19e66ce91eb415169486530
SHA256ad943516fd410f67076216d69aff9cbb9d0abc6cfa7fbad18278619e87d65c53
SHA512ba2a6735a7b06dcc1865a454fda40217bc76b1c1e602d5ee9cbef8f93f3599eb3dd335d3ca447917f54d4b3e866ee088a832bdf1c40e25d561c570311ba302b9
-
Filesize
7KB
MD5f7ce09127bf57f3ca232ce17f9dafe2d
SHA12ffc33a27685b83269b4285d744f565e037e5413
SHA256975d9eebca817984e2882fb2b72318d526741b417b05b4dc74a3fca616d652ad
SHA512af637364a3a0032320d434ec32fc8a50ae45f5dffaae9783d33ec7039c72c232276737a8bf40f39c30d52970100f69215a48984fa8ff68b03d69abf7e650d368
-
Filesize
210B
MD555187dac39a0e400efb81b7f21c3e065
SHA1ba9a0c995b25047c5be9ad13cfc85bc2935aaba4
SHA256b0684f1f89322298763ea0a848146e4261948eeef2e26fe16f769aa0bf20a43e
SHA512161afb473553553ff6f91494a32282999bcef14c5428c6960ae2f8a9cd87059f6032f3d15328f1d954247b349ca9a2cc3bf0fc3fd75f689e37bde055e4db724b
-
Filesize
1KB
MD5201b358b9eba7b67c454b4670fc37bf8
SHA1620fb9bced83450e6f27511b8daa914e6287a427
SHA256173f4b47b48f167c71bd61a75302f144e6ddc1a2e57471ef0883fa2e7352db86
SHA5125c4efef4776125e3c542b22c321f08a7cb17b3a3cf067e595366cd75cce3839643648042f6c6f2dc2a82efadbbb78ddfceb934a24da64d7e6b0d2263146ba010