Analysis
-
max time kernel
279s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
04-05-2024 15:15
General
-
Target
server.exe
-
Size
550KB
-
MD5
6cb512426a10237538b506679437b187
-
SHA1
281a423f138f9793ecaa9485457c2c01f35e8955
-
SHA256
ce1d57e8980fbdc500dc1baa64d4fcf2e3bc30a61c11ccad452cbc8bbe1f49fd
-
SHA512
ccfcb46cac5fcec1574310325cfe7d19661e30dd7f2638196e7ad21eadfd7d98f1a38bc65c44dcc52d322828a4243802394136f0eeea52cf1c39f81851a90cb4
-
SSDEEP
6144:s+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWYhJ6usHJdJUQ:XPw2PjCLe3a6Q70zbpJOHiQ
Malware Config
Signatures
-
PredatorStealer
Predator is a modular stealer written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\Zip.exe"C:\Users\Admin\AppData\Local\Temp\Zip.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
430KB
MD53f17f5c93702227d29559f413cc6be0c
SHA138af40141ec15144b6cd3a6cdd32f52ea44a1b15
SHA25600dc8ebe29063814f906df75609e71506401008fbfbce26b2d21ab30264847fd
SHA512dd45813d0d478fa64f16657375f0f72ae615675b537f42c4bf0bc8bc0a9efdeb7df89d57e7624b08680356439e479d1a8fd8d133675c142d00bbdf09c6b51914
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
3KB
MD5b38fe8996cea2e37ae861c6f04253b1a
SHA17d3f85ab327cacbde9627123115ea7136191cc95
SHA25695cc723fc33a36ec829eee2716b44d6a348e5cdcd60ea9926fdb60ddc4e107e0
SHA512e2dcfc9ac40fc862c88771f0e1258b15409d4181580b5bbcdffe45ae569238363bdbec7e6a8c91f6b5e41a5b9d8552218a2a4616ef1d47f6cf8b336b8943654e
-
Filesize
1KB
MD51753556c16c2e27b8b386876ff7b8a55
SHA147d5f0618c1ad171f1da4b0e7a32f7f12d176758
SHA25686220903e11aeb0259b5e83c15056abe15e5efaee40fde2b5ded59ba3d193ed4
SHA51216f7da960bf23d1d3d806186f31a97e8476ffe9840263f9b8748cbb14f7ca8f0f48ee73f366f26a1d957387685f179f406df98123a02a6c55f7c2c432ce97fff
-
Filesize
431KB
MD568383bda16f8b17aa72989ada4caca41
SHA1584741c001c054220d98a9e8ea112ad24c9d6cbb
SHA2562c607720050f37305691c323e02c34b0ad2f81e0a1c8c825e4da406170f3c40a
SHA512a57845b4a109024fc9c458bceef9b1e0dfef66833bae3908196fc7e28347f1ebfe8577e6d5bf417111c9ee94905b90aacf586d88409537b01b6a36c49ceb3e4f
-
Filesize
315B
MD52ad880ff7ae7ccf5221b22c4d182b5ef
SHA16534f4a737e090d9219357cecb44faa5d9a2640c
SHA256b16c4a30e1d6a257e2eb602bdd55603f27f6f5529107fe797a4f972d8e60255d
SHA5122ff32f5f42590e507140c973f64743c4134020dc4bdfcac4e304f28010c1100648c33f01f4e66fbbfe6d45dc811c8196f3163dae2ba77f860044d118de39436d
-
Filesize
31KB
MD53afd64484a2a34fc34d1155747dd3847
SHA1451e1d878179f6fcfbaf9fa79d9ee8207489748f
SHA256bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9
SHA512d21a519c8867d569e56ac5c93ce861a72f6853e3a959467bf8e8779664f99b5e8be76ad27e078935191c798aea05891960e01d9a0d52e2a33d34ec5a58c00448
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
576KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
