Analysis
-
max time kernel
91s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe
Resource
win10v2004-20240426-en
General
-
Target
c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe
-
Size
1.6MB
-
MD5
19b9de641a480be1236dd9712d9ccc10
-
SHA1
a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a
-
SHA256
c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd
-
SHA512
7c86fa655d20e23bb67761367b8dd0512902c0f2d3c0801f480a63bd7d8287f16e8314f43de7a202495b17aab52f7ae2b4bc71b3f0973b4e3810c4ade4462010
-
SSDEEP
49152:LzL+zEqvftsAyChHQTTu7XIP+WQ55KGRK04TYS:LzLYVdiCh6Cdb7RD4T
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" RegAsm.exe -
Detects executables packed with ConfuserEx Mod 2 IoCs
resource yara_rule behavioral2/memory/3684-1-0x0000000000400000-0x000000000069E000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/memory/3684-6-0x0000000000400000-0x000000000069E000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk RegAsm.exe -
Loads dropped DLL 1 IoCs
pid Process 3684 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features RegAsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" RegAsm.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest2663 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest2663\\MaxLoonaFest2663.exe" RegAsm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ipinfo.io 17 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4360 set thread context of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5108 3684 WerFault.exe 88 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1748 schtasks.exe 5020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4404 powershell.exe 4404 powershell.exe 3684 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3684 RegAsm.exe Token: SeDebugPrivilege 4404 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4360 wrote to memory of 4604 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 87 PID 4360 wrote to memory of 4604 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 87 PID 4360 wrote to memory of 4604 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 87 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 4360 wrote to memory of 3684 4360 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe 88 PID 3684 wrote to memory of 4404 3684 RegAsm.exe 92 PID 3684 wrote to memory of 4404 3684 RegAsm.exe 92 PID 3684 wrote to memory of 4404 3684 RegAsm.exe 92 PID 3684 wrote to memory of 4572 3684 RegAsm.exe 97 PID 3684 wrote to memory of 4572 3684 RegAsm.exe 97 PID 3684 wrote to memory of 4572 3684 RegAsm.exe 97 PID 4572 wrote to memory of 1748 4572 cmd.exe 98 PID 4572 wrote to memory of 1748 4572 cmd.exe 98 PID 4572 wrote to memory of 1748 4572 cmd.exe 98 PID 3684 wrote to memory of 3000 3684 RegAsm.exe 99 PID 3684 wrote to memory of 3000 3684 RegAsm.exe 99 PID 3684 wrote to memory of 3000 3684 RegAsm.exe 99 PID 3000 wrote to memory of 5020 3000 cmd.exe 100 PID 3000 wrote to memory of 5020 3000 cmd.exe 100 PID 3000 wrote to memory of 5020 3000 cmd.exe 100 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe"C:\Users\Admin\AppData\Local\Temp\c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST3⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST3⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:5020
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 30603⤵
- Program crash
PID:5108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3684 -ip 36841⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5781ea032c0bd2e8fadb8eac2643ea5d6
SHA117ada31509ae487a3f088dc08c3b11858b6695b8
SHA256bb722d1c141ea6ad651601596691801755657c622807769325b678e2854e6a81
SHA512e4e3a00721d158ad1ab9d236bca2da289ce4fc7fdd0a5a531c9415f9f0f88bd8dbd7e1427fe91225f21ee24efda2d265313670e7ba8ddd164e40b1d05d8a7f61
-
Filesize
791KB
MD50fe0a178f711b623a8897e4b0bb040d1
SHA101ea412aeab3d331f825d93d7ee1f5fa6d3c46e6
SHA2560c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d
SHA5126c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54