Analysis
-
max time kernel
30s -
max time network
30s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-05-2024 22:33
General
-
Target
Insidious.exe
-
Size
303KB
-
MD5
35cdf56ee1f012a2f44a0812c2a56105
-
SHA1
bf3475fa2d1709a731e87c02427ff4c0f04e1448
-
SHA256
7a5f3666857fbcb8e1118d1a4366614c8c38d57bd2b8c699c0ab4ab2a89d390c
-
SHA512
121694ad85f7ff5ba3c2f14382c3f5d339f3ffdc4de1c62fde3801a1e20d59735387c376c28acd14f6821e6bd28835f77e697c83653839d6977760ef220198e7
-
SSDEEP
6144:GfcT6MDdbICydeBO0wkGV6/dJLRF6LmA1D0WFX:GfKkkGV6jLDw1DzX
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1244019870862020659/tVxVfR9TpY0IyzuyrjO17JbdHh2NjTS8KiM8KzKmHrEAjcnkS2I3rTkkVdlqcBGrIYFZ
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 freegeoip.app 2 freegeoip.app -
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Insidious.exepid process 4852 Insidious.exe 4852 Insidious.exe 4852 Insidious.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 656 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Insidious.exedescription pid process Token: SeDebugPrivilege 4852 Insidious.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-5-28.2234.2888.1.odlFilesize
706B
MD5f18fc797ead237c268c937887532f835
SHA1862aa51f899727e6cdec45a275079f98c3de9ae7
SHA256ae44aa4c2841ede8ebe51d8db451853709eb3fe18dfba2ec5cc5ff6a00246baf
SHA512e9f94eea2828ae984d48c59afff3969faee99c890a3fe0bb225877299f2f6c3482ed3f54b5a03139c4c925726b0438e620354db366648f290496c6a6f4ba47ce
-
memory/4852-0-0x00007FF991AE3000-0x00007FF991AE5000-memory.dmpFilesize
8KB
-
memory/4852-1-0x0000016B6E8F0000-0x0000016B6E942000-memory.dmpFilesize
328KB
-
memory/4852-31-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB
-
memory/4852-32-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmpFilesize
10.8MB