Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 11:55
Static task
static1
Behavioral task
behavioral1
Sample
LoginTools.exe
Resource
win7-20240221-en
General
-
Target
LoginTools.exe
-
Size
1.8MB
-
MD5
1cad02b87e0166cb970aae55ed3aa068
-
SHA1
677ef6f4d58e33b7a9dfbd64e87c107786f2f59e
-
SHA256
dd856974e0c69717e3aa56952f18b689c8014b3412791c67265ffcf9137aebd4
-
SHA512
3c6ac8beb8e58ca6e3649662529dfedbb51bb2cfa6716d37dd90f2abfe3c25bc592eb791118f2044bbcc1cffa3b83527302bf9badcdcaa1b04b412c2a7231533
-
SSDEEP
24576:/3vLRdVhZBK8NogWYO09dOGi933YiWdCMJ5QxmjwC/hR:/3d5ZQ1Xx3IiW0MbQxA
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
LoginTools.exedescription ioc process File opened (read-only) \??\T: LoginTools.exe File opened (read-only) \??\V: LoginTools.exe File opened (read-only) \??\G: LoginTools.exe File opened (read-only) \??\I: LoginTools.exe File opened (read-only) \??\L: LoginTools.exe File opened (read-only) \??\N: LoginTools.exe File opened (read-only) \??\O: LoginTools.exe File opened (read-only) \??\Q: LoginTools.exe File opened (read-only) \??\Z: LoginTools.exe File opened (read-only) \??\A: LoginTools.exe File opened (read-only) \??\J: LoginTools.exe File opened (read-only) \??\M: LoginTools.exe File opened (read-only) \??\S: LoginTools.exe File opened (read-only) \??\U: LoginTools.exe File opened (read-only) \??\Y: LoginTools.exe File opened (read-only) \??\H: LoginTools.exe File opened (read-only) \??\K: LoginTools.exe File opened (read-only) \??\P: LoginTools.exe File opened (read-only) \??\W: LoginTools.exe File opened (read-only) \??\X: LoginTools.exe File opened (read-only) \??\B: LoginTools.exe File opened (read-only) \??\E: LoginTools.exe File opened (read-only) \??\R: LoginTools.exe -
Drops file in System32 directory 1 IoCs
Processes:
LoginTools.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ LoginTools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
LoginTools.exeLoginTools.exedescription pid process Token: SeDebugPrivilege 2112 LoginTools.exe Token: SeDebugPrivilege 2112 LoginTools.exe Token: SeDebugPrivilege 1724 LoginTools.exe Token: SeDebugPrivilege 1724 LoginTools.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
LoginTools.exedescription pid process target process PID 2112 wrote to memory of 1724 2112 LoginTools.exe LoginTools.exe PID 2112 wrote to memory of 1724 2112 LoginTools.exe LoginTools.exe PID 2112 wrote to memory of 1724 2112 LoginTools.exe LoginTools.exe PID 2112 wrote to memory of 1724 2112 LoginTools.exe LoginTools.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LoginTools.exe"C:\Users\Admin\AppData\Local\Temp\LoginTools.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\LoginTools.exe"C:\Users\Admin\AppData\Local\Temp\LoginTools.exe" Admin2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1724-6-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1724-7-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/1724-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2112-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2112-1-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2112-2-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2112-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB