Analysis
-
max time kernel
130s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29/05/2024, 10:53
General
-
Target
873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8.exe
-
Size
551KB
-
MD5
19a473d54f8b4f91ed944773bb4c02ef
-
SHA1
9d5fab1d5b65096390a01f5d1fa7873a97967e81
-
SHA256
873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8
-
SHA512
1ebc93e0a482a48b70ccb26a57707de3585a6d1252aa3defe81884111026dade14d48e2bfa2ec6ea0c39a702c5e05834f9c536e100d433a13eb7f6ff0990c8bc
-
SSDEEP
6144:4+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWLNq4MqTJv9U:LPw2PjCLe3a6Q70zbp/sw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8.exe"C:\Users\Admin\AppData\Local\Temp\873546478ec547e4e82af18fa5004c67794141d9cb98e79a4ff84c86a6c6aeb8.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\Zip.exe"C:\Users\Admin\AppData\Local\Temp\Zip.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
433KB
MD507412bb084a27943a7eb571f0c95a217
SHA13597d050f4b0b8aebf7a0cdba06cd4a9e4e6a064
SHA256f686c09c70b232f6be9193bd1ce3bd0f7e4331a3bd4cfda938f618b7d7dab2a6
SHA512ec7ee6f00bccbb11ab2bf8023fb9383fdcfcb370ffb12b16c019ad1bacb0848582da30041f0011a6554cf8c9daf5d7a73f74caf3a61a35e21ad8c6fc7273aece
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
3KB
MD5db688fb8707737b3179a33fdc1e85951
SHA1c25c9d25afe2222324c5bc1581f9d275efc70b8a
SHA256533e12e2d8cc7c43c4c9bc2ab2428a8dbfdcb4f18126d6f63dfa33f4452ea56f
SHA512da2d85750c45a22ba2d7124bb7f39f62fea0d0d7902ebe5114ca82d8e4c50499a8e2335cec18072ca17f437294981a0041bbf5672a129e16efea769c55906268
-
Filesize
1KB
MD529b06b9762c40f46d16f9e956c14fed0
SHA1de9ad5c8fc1aa37f772c91d4343213017689766b
SHA25649a41f09b29b70c0158d5b7a4b7fdf30e0af77299e79f759383e62d52269bfd4
SHA512285d3d707f937e97794ebc45cc4d09c5a835f29dcefb2b6123aa9614edc8471dba918135b6ec1e644b593d2729db8834fe2423328b9a55e09a7af768c9751cdd
-
Filesize
433KB
MD5cad72a45e1c8238d60da101f2fa61420
SHA17524919cbabe754fdb9b3206c6118dd78be858f8
SHA256f4ae28694f596494077dbba9c35d4dee32f1dfbda6b7bf839931ab5a396f1af3
SHA51248059463baf75943621f12a74bc0ac63233e9b911393db91e9a8e646a5cedc414eb112c5fc9f480a08ce5a2df3fb2b74dcde8ec31c4a7a9b4d4f0276dc86eaa3
-
Filesize
315B
MD58c08c25128b0098c9487242910e002df
SHA1f0fa6674ea59e21f294d420e058298ac417e7905
SHA2567915838fe8a36cc6f1d2349e6c9a6e1471f59c55dc5c26e0a07a794efbdfaea9
SHA512982ab148de76f6e4fa450c379a74de25fc910469623491b8ffc8bb7ca74607fd2c1504b2b215f499cf97a4e4ee87766ef851f11d23edcac11473f26f0b9d5e91
-
Filesize
32KB
MD53331f4e716921b0a3710ef0291958254
SHA1e5661e224e52476e0c463fae38e1c40fd3a40c16
SHA25641bb07763250248ddd7273e9c2be51f095a4ad6cadb513bf186c92e5804e4d82
SHA512d50b307ba97b432288291ca22dbaed0b72053cc1a3a907111eb2ac5c6b2679d3b9b15e93c86bacd02d9d3c2d5945d5e73daa1f2a92b14db27840d7658fa9c244
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
576KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
