Analysis
-
max time kernel
115s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
LoginTools.exe
Resource
win7-20240221-en
General
-
Target
LoginTools.exe
-
Size
1.8MB
-
MD5
1cad02b87e0166cb970aae55ed3aa068
-
SHA1
677ef6f4d58e33b7a9dfbd64e87c107786f2f59e
-
SHA256
dd856974e0c69717e3aa56952f18b689c8014b3412791c67265ffcf9137aebd4
-
SHA512
3c6ac8beb8e58ca6e3649662529dfedbb51bb2cfa6716d37dd90f2abfe3c25bc592eb791118f2044bbcc1cffa3b83527302bf9badcdcaa1b04b412c2a7231533
-
SSDEEP
24576:/3vLRdVhZBK8NogWYO09dOGi933YiWdCMJ5QxmjwC/hR:/3d5ZQ1Xx3IiW0MbQxA
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LoginTools.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation LoginTools.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
LoginTools.exedescription ioc process File opened (read-only) \??\Q: LoginTools.exe File opened (read-only) \??\S: LoginTools.exe File opened (read-only) \??\G: LoginTools.exe File opened (read-only) \??\K: LoginTools.exe File opened (read-only) \??\L: LoginTools.exe File opened (read-only) \??\M: LoginTools.exe File opened (read-only) \??\O: LoginTools.exe File opened (read-only) \??\V: LoginTools.exe File opened (read-only) \??\R: LoginTools.exe File opened (read-only) \??\U: LoginTools.exe File opened (read-only) \??\Z: LoginTools.exe File opened (read-only) \??\I: LoginTools.exe File opened (read-only) \??\J: LoginTools.exe File opened (read-only) \??\N: LoginTools.exe File opened (read-only) \??\H: LoginTools.exe File opened (read-only) \??\P: LoginTools.exe File opened (read-only) \??\T: LoginTools.exe File opened (read-only) \??\W: LoginTools.exe File opened (read-only) \??\X: LoginTools.exe File opened (read-only) \??\A: LoginTools.exe File opened (read-only) \??\B: LoginTools.exe File opened (read-only) \??\E: LoginTools.exe File opened (read-only) \??\Y: LoginTools.exe -
Drops file in System32 directory 1 IoCs
Processes:
LoginTools.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ LoginTools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
LoginTools.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings LoginTools.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
LoginTools.exeLoginTools.exedescription pid process Token: SeDebugPrivilege 3092 LoginTools.exe Token: SeDebugPrivilege 3092 LoginTools.exe Token: SeDebugPrivilege 2364 LoginTools.exe Token: SeDebugPrivilege 2364 LoginTools.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
LoginTools.exedescription pid process target process PID 3092 wrote to memory of 2364 3092 LoginTools.exe LoginTools.exe PID 3092 wrote to memory of 2364 3092 LoginTools.exe LoginTools.exe PID 3092 wrote to memory of 2364 3092 LoginTools.exe LoginTools.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LoginTools.exe"C:\Users\Admin\AppData\Local\Temp\LoginTools.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\LoginTools.exe"C:\Users\Admin\AppData\Local\Temp\LoginTools.exe" Admin2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2364-6-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/2364-7-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2364-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/3092-0-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/3092-1-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/3092-2-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/3092-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB