Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 19:41

General

  • Target

    479d30cd484920e686388641718edc53.exe

  • Size

    120KB

  • MD5

    479d30cd484920e686388641718edc53

  • SHA1

    c7040a1893168c204c759280d9671b0b58890c8c

  • SHA256

    e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

  • SHA512

    e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d

  • SSDEEP

    1536:2Wzd3+6aUp+3aTvjgFnbF/nt6z9b1Caom02vrDxcHtcV/erWEUzny94BgJad:z3av3aTvjv9b1Ch30rDxcHtcV/SquI

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\479d30cd484920e686388641718edc53.exe
    "C:\Users\Admin\AppData\Local\Temp\479d30cd484920e686388641718edc53.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "479d30cd484920e686388641718edc53" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\479d30cd484920e686388641718edc53.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2548
        • C:\Windows\system32\timeout.exe
          timeout /t 3
          3⤵
          • Delays execution with timeout.exe
          PID:2500
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "479d30cd484920e686388641718edc53" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2116
        • C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe
          "C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2472
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                  PID:2828
                • C:\Windows\system32\findstr.exe
                  findstr /R /C:"[ ]:[ ]"
                  5⤵
                    PID:2824
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2680
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    5⤵
                      PID:1628
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show networks mode=bssid
                      5⤵
                        PID:1752
                      • C:\Windows\system32\findstr.exe
                        findstr "SSID BSSID Signal"
                        5⤵
                          PID:2296
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {DB3FDC47-B7CB-4609-BEC6-14CD62D5CF60} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2984
                  • C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe
                    C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe
                    2⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • outlook_office_path
                    • outlook_win_path
                    PID:1100
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2608
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:2496
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          4⤵
                            PID:2380
                          • C:\Windows\system32\findstr.exe
                            findstr /R /C:"[ ]:[ ]"
                            4⤵
                              PID:2440
                          • C:\Windows\system32\cmd.exe
                            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1696
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              4⤵
                                PID:1752
                              • C:\Windows\system32\netsh.exe
                                netsh wlan show networks mode=bssid
                                4⤵
                                  PID:2700
                                • C:\Windows\system32\findstr.exe
                                  findstr "SSID BSSID Signal"
                                  4⤵
                                    PID:2684

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                              Filesize

                              68KB

                              MD5

                              29f65ba8e88c063813cc50a4ea544e93

                              SHA1

                              05a7040d5c127e68c25d81cc51271ffb8bef3568

                              SHA256

                              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                              SHA512

                              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                              Filesize

                              344B

                              MD5

                              e0d4d5320bcdc25fe0d263809834fd03

                              SHA1

                              0284f81b09c52ed1b8919197a597391ca87d2060

                              SHA256

                              c2b16778aaf201e16745a7eff82d0410fbd3d5907cc3ba3de206fb0f8d93109e

                              SHA512

                              cf3c226cf75bc4f7154b71371a8391a52ed1e54f8e64392a274ce4b08fbcf4a3dcc78e4be6aa7c9d56e3106a18bd258bd2e9bc876a4daf88593914d812149369

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                              Filesize

                              344B

                              MD5

                              41021b32f9e569e62cdabd5af050aa4f

                              SHA1

                              1754e59308f3cacbb19ac5a3d4b34f45137ae840

                              SHA256

                              8d1160f5eb5a407ea109bfd0b420b6f928dcb79d6ebe0afc790ca3b40879d222

                              SHA512

                              e10eb2055c19d40c4826cf7d70aaa4adc68af0638a78bbda27ca777b321345314e02a6172e80833c8b0ffc4443f3269b90d5e46a203dd2316c53f526af13b5de

                            • C:\Users\Admin\AppData\Local\RobloxSecurity\479d30cd484920e686388641718edc53.exe

                              Filesize

                              120KB

                              MD5

                              479d30cd484920e686388641718edc53

                              SHA1

                              c7040a1893168c204c759280d9671b0b58890c8c

                              SHA256

                              e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

                              SHA512

                              e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d

                            • C:\Users\Admin\AppData\Local\Temp\Tar3C7B.tmp

                              Filesize

                              177KB

                              MD5

                              435a9ac180383f9fa094131b173a2f7b

                              SHA1

                              76944ea657a9db94f9a4bef38f88c46ed4166983

                              SHA256

                              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                              SHA512

                              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                            • C:\Users\Admin\AppData\Local\lbdd1brp2p\p.dat

                              Filesize

                              4B

                              MD5

                              5487e79fa0ccd0b79e5d4a4c8ced005d

                              SHA1

                              9b167f20d855b3d33fa8877a17dea0898be590e1

                              SHA256

                              c30d2c58c630f9e4e5a303cfe36cf2d7fd66a1189a5e45daba5a62fc65902580

                              SHA512

                              ea090c610f876f7345081f8dd2265df7f5dfd185ada14f5560b259fe4a15302845fe9260044a86d1dabe9b932c1a0d352100650151250bc554f243f52a7774d2

                            • memory/2244-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

                              Filesize

                              4KB

                            • memory/2244-1-0x0000000000E20000-0x0000000000E44000-memory.dmp

                              Filesize

                              144KB

                            • memory/2244-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2244-5-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2672-9-0x0000000000D00000-0x0000000000D24000-memory.dmp

                              Filesize

                              144KB