Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
General
-
Target
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
-
Size
652KB
-
MD5
3783014e89435e8f979155435933d4f0
-
SHA1
c711fb0d97d5d363e241ed5532c6331e0fe8aa57
-
SHA256
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f
-
SHA512
611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010
-
SSDEEP
12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/5004-334-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/5004-330-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/2516-350-0x00000000004B0000-0x0000000001704000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/988-327-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/988-352-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/988-327-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3396-339-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3396-338-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/5004-334-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/5004-330-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2516-350-0x00000000004B0000-0x0000000001704000-memory.dmp Nirsoft behavioral2/memory/988-352-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Loads dropped DLL 1 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exepid process 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exepid process 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exea7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exepid process 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exea7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exedescription pid process target process PID 1056 set thread context of 2516 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 set thread context of 988 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 set thread context of 5004 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 set thread context of 3396 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exea7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exepid process 988 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 988 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 3396 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 3396 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 988 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 988 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exea7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exepid process 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exedescription pid process Token: SeDebugPrivilege 3396 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exepid process 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exea7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exedescription pid process target process PID 1056 wrote to memory of 2516 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 1056 wrote to memory of 2516 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 1056 wrote to memory of 2516 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 1056 wrote to memory of 2516 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 1056 wrote to memory of 2516 1056 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 988 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 988 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 988 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 5004 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 5004 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 5004 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 3396 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 3396 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe PID 2516 wrote to memory of 3396 2516 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exeC:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\civfegacpvnkrdyckf"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:988 -
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exeC:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\mciyfyldddfxurmgtpremf"3⤵
- Accesses Microsoft Outlook accounts
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exeC:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\wenrgrwxrlxcexiklalypsxpv"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:81⤵PID:4172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD591227a2f05c7f74f6ebd1535a3f05b7b
SHA11ce317a272d67e3ac284948e49e6bc0acaee2e6d
SHA2562967c8bcad47ab6cb88bf5b60a3a75b49f471a943d33c9b69aa7bfe1b763cfd2
SHA5129ff9f6d2fb2880812fce42b91388e8b825483bb2df0976b9c630c397fed68f3625f4ba32d65933de0018b6e18554315152a1df00c98313d19612403076079a40
-
Filesize
11KB
MD5fc3772787eb239ef4d0399680dcc4343
SHA1db2fa99ec967178cd8057a14a428a8439a961a73
SHA2569b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
SHA51279e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89
-
Filesize
1KB
MD574b4f5007ca19ebbad58c8ae7fadaef9
SHA1f4622459a6dffb685a2bab7583fdb2054be47c12
SHA256a0ef460996ac6521bb345950436edec397db28947224415effebb8f86861f1f6
SHA512ec9c6f3dda2e9fcc1f725b51dc19a93215cd2ea11b5b92bf2832ab57369ae5ba4d2ae623ad8ff62b8ae006482eea288186844e6b0dd80b8546efbc3277f61efc