Analysis
-
max time kernel
12s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
13/04/2024, 13:21
Static task
static1
General
-
Target
aimware.exe
-
Size
1.0MB
-
MD5
f0aa774656a99e218a7e2fc2c82cd2f3
-
SHA1
68043818157f185f44cf1ee5b1096eaa65523f11
-
SHA256
ac4480726395424221a325673e03466a459dac2f3168a8f15f6bf2edfb5ecf0e
-
SHA512
20bc54f6870cf3973a5d33ce1e4377e2bb84a05b2ea525da6a325cdd3140ee57490f79ca3e6871ac70d45c66e038bccda93ca34878494f285ca6c6a149c2a8c4
-
SSDEEP
24576:jBkVdlYAKfUYd3/4+FjrKgF5nmsQEf21ucm:FsvHYS+FXPnyO2Icm
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/1223534684466712578/OJzM_W-KXB6Dm5WRjG1g7FlWhDxGAwBV4ZXWD3CYjtrvY6z0qkodyZAKKulSwJIUxlGT
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation aimware.exe -
Executes dropped EXE 3 IoCs
pid Process 1160 loader.exe 652 Insidious.exe 2760 1234.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 freegeoip.app 41 freegeoip.app -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1160 loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 652 Insidious.exe 652 Insidious.exe 652 Insidious.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 652 Insidious.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 396 wrote to memory of 1160 396 aimware.exe 84 PID 396 wrote to memory of 1160 396 aimware.exe 84 PID 396 wrote to memory of 652 396 aimware.exe 97 PID 396 wrote to memory of 652 396 aimware.exe 97 PID 396 wrote to memory of 2760 396 aimware.exe 100 PID 396 wrote to memory of 2760 396 aimware.exe 100 PID 396 wrote to memory of 2760 396 aimware.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\aimware.exe"C:\Users\Admin\AppData\Local\Temp\aimware.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1160
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1234.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1234.exe"2⤵
- Executes dropped EXE
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD547c672a1e8988431f000e8b68e9767cb
SHA186ae6bb62c518b082f8559547a31dd0968279af2
SHA2569db195f3403d8ed5d3586133af733056736a45bf98d5f25c6c6eea5af1f93e2f
SHA512cce818a43cda08c009735dc40a6ea7d9051260a6be52bf2baf55a5e5c7b3a327624b05443e204c40119a9177a0abfe7678e2a1f4764f7262553bf94092d0b6a5
-
Filesize
303KB
MD5b274291ce2e012a004833bb57574729c
SHA165de247ae9cc760cd946d746327ab5fc5968dbd5
SHA256fa94cc9b8728deaa172b9e2203e93395d70fdf4020b88d2b06d064f5bbf88904
SHA51214c1a169c5025e3de79fcd60060a6b7c4d751ed0438af8ea161d1b578f8e5a486ac394b3cedab920228539df842e88086e93d516e459e87f9c56772bbf69732f
-
Filesize
1.2MB
MD5f7b1faf469ff40c92262042f6a2aee97
SHA1eb8a41922518076b187cea63799876cc7fb6f3c3
SHA256fc3f91250c78ff408ab86940b0334560d07b2f61edba9ce61abeba9a96df935e
SHA512fe4dd456a6d2be4ba18ed435873ee3f35cd7fed912fd8de5267df78838c2ebaf6b6bc379f910f8d4cbcf6819c88d74de1a3714107d2d89e7669d712cc3c50631