Analysis
-
max time kernel
149s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe
Resource
win7-20240221-en
General
-
Target
ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe
-
Size
2.2MB
-
MD5
b69de5d4550ed214bcc8ad2f839735d8
-
SHA1
f7806011d03923ffe4f4eb92891289efdeb003e8
-
SHA256
ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc
-
SHA512
7e8e139d3f82d091c10a8064a855a7fbb237db05c4f5142f5551024ad7e6408ad1ff8578ab8410899cf515be9da6ef0d73b03345bca14777d8656403dc14b80a
-
SSDEEP
49152:Ay9iPrDpnwGFdQD9OAjkx6KS/RNvfi4A2400000000000000000000000000000l:nujFMOAjkgKib200000000000000000F
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2116-3-0x00000000006E0000-0x00000000006F0000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: AddInProcess32.exe File opened (read-only) \??\t: AddInProcess32.exe File opened (read-only) \??\w: AddInProcess32.exe File opened (read-only) \??\a: AddInProcess32.exe File opened (read-only) \??\n: AddInProcess32.exe File opened (read-only) \??\v: AddInProcess32.exe File opened (read-only) \??\m: AddInProcess32.exe File opened (read-only) \??\p: AddInProcess32.exe File opened (read-only) \??\q: AddInProcess32.exe File opened (read-only) \??\b: AddInProcess32.exe File opened (read-only) \??\g: AddInProcess32.exe File opened (read-only) \??\h: AddInProcess32.exe File opened (read-only) \??\k: AddInProcess32.exe File opened (read-only) \??\l: AddInProcess32.exe File opened (read-only) \??\r: AddInProcess32.exe File opened (read-only) \??\u: AddInProcess32.exe File opened (read-only) \??\x: AddInProcess32.exe File opened (read-only) \??\z: AddInProcess32.exe File opened (read-only) \??\e: AddInProcess32.exe File opened (read-only) \??\i: AddInProcess32.exe File opened (read-only) \??\o: AddInProcess32.exe File opened (read-only) \??\s: AddInProcess32.exe File opened (read-only) \??\y: AddInProcess32.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2104-4-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-7-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-8-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-9-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-11-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-15-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-23-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-27-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-31-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-39-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-43-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-47-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-51-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-59-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-63-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2104-77-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2116 set thread context of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2116 wrote to memory of 2104 2116 ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe 27 PID 2104 wrote to memory of 2864 2104 AddInProcess32.exe 28 PID 2104 wrote to memory of 2864 2104 AddInProcess32.exe 28 PID 2104 wrote to memory of 2864 2104 AddInProcess32.exe 28 PID 2104 wrote to memory of 2864 2104 AddInProcess32.exe 28 PID 2104 wrote to memory of 2628 2104 AddInProcess32.exe 30 PID 2104 wrote to memory of 2628 2104 AddInProcess32.exe 30 PID 2104 wrote to memory of 2628 2104 AddInProcess32.exe 30 PID 2104 wrote to memory of 2628 2104 AddInProcess32.exe 30 PID 2104 wrote to memory of 2432 2104 AddInProcess32.exe 32 PID 2104 wrote to memory of 2432 2104 AddInProcess32.exe 32 PID 2104 wrote to memory of 2432 2104 AddInProcess32.exe 32 PID 2104 wrote to memory of 2432 2104 AddInProcess32.exe 32 PID 2104 wrote to memory of 2452 2104 AddInProcess32.exe 34 PID 2104 wrote to memory of 2452 2104 AddInProcess32.exe 34 PID 2104 wrote to memory of 2452 2104 AddInProcess32.exe 34 PID 2104 wrote to memory of 2452 2104 AddInProcess32.exe 34 PID 2104 wrote to memory of 2436 2104 AddInProcess32.exe 36 PID 2104 wrote to memory of 2436 2104 AddInProcess32.exe 36 PID 2104 wrote to memory of 2436 2104 AddInProcess32.exe 36 PID 2104 wrote to memory of 2436 2104 AddInProcess32.exe 36 PID 2104 wrote to memory of 2456 2104 AddInProcess32.exe 38 PID 2104 wrote to memory of 2456 2104 AddInProcess32.exe 38 PID 2104 wrote to memory of 2456 2104 AddInProcess32.exe 38 PID 2104 wrote to memory of 2456 2104 AddInProcess32.exe 38 PID 2104 wrote to memory of 1636 2104 AddInProcess32.exe 40 PID 2104 wrote to memory of 1636 2104 AddInProcess32.exe 40 PID 2104 wrote to memory of 1636 2104 AddInProcess32.exe 40 PID 2104 wrote to memory of 1636 2104 AddInProcess32.exe 40 PID 2104 wrote to memory of 2736 2104 AddInProcess32.exe 42 PID 2104 wrote to memory of 2736 2104 AddInProcess32.exe 42 PID 2104 wrote to memory of 2736 2104 AddInProcess32.exe 42 PID 2104 wrote to memory of 2736 2104 AddInProcess32.exe 42 PID 2104 wrote to memory of 2824 2104 AddInProcess32.exe 44 PID 2104 wrote to memory of 2824 2104 AddInProcess32.exe 44 PID 2104 wrote to memory of 2824 2104 AddInProcess32.exe 44 PID 2104 wrote to memory of 2824 2104 AddInProcess32.exe 44 PID 2104 wrote to memory of 2288 2104 AddInProcess32.exe 46 PID 2104 wrote to memory of 2288 2104 AddInProcess32.exe 46 PID 2104 wrote to memory of 2288 2104 AddInProcess32.exe 46 PID 2104 wrote to memory of 2288 2104 AddInProcess32.exe 46 PID 2104 wrote to memory of 840 2104 AddInProcess32.exe 48 PID 2104 wrote to memory of 840 2104 AddInProcess32.exe 48 PID 2104 wrote to memory of 840 2104 AddInProcess32.exe 48 PID 2104 wrote to memory of 840 2104 AddInProcess32.exe 48 PID 2104 wrote to memory of 2672 2104 AddInProcess32.exe 50 PID 2104 wrote to memory of 2672 2104 AddInProcess32.exe 50 PID 2104 wrote to memory of 2672 2104 AddInProcess32.exe 50 PID 2104 wrote to memory of 2672 2104 AddInProcess32.exe 50 PID 2104 wrote to memory of 864 2104 AddInProcess32.exe 52 PID 2104 wrote to memory of 864 2104 AddInProcess32.exe 52 PID 2104 wrote to memory of 864 2104 AddInProcess32.exe 52 PID 2104 wrote to memory of 864 2104 AddInProcess32.exe 52 PID 2104 wrote to memory of 240 2104 AddInProcess32.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe"C:\Users\Admin\AppData\Local\Temp\ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A3⤵PID:2864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A3⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A3⤵PID:2432
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A3⤵PID:2452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A3⤵PID:2436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A3⤵PID:2456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A3⤵PID:1636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A3⤵PID:2736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A3⤵PID:2824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A3⤵PID:2288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A3⤵PID:840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A3⤵PID:2672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A3⤵PID:864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A3⤵PID:240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A3⤵PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A3⤵PID:836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A3⤵PID:2020
-
-