Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20240508-en
General
-
Target
1.exe
-
Size
154KB
-
MD5
f25b7e3d8113bfe04637132dc77e2495
-
SHA1
8912c9a543a4d1a617bd59f7c80b69ed17a6e04b
-
SHA256
242162265a598cf3c4c0d04a999cdd5b63a9759a44787aab0d9dd8748c0525ec
-
SHA512
08a8ac8159f3b8cd573042a5bdc70fc408c079a80f1962cdfb59bcb87888cb307a16e0b42c1ed7d6a6819835452480df842a9bff1fbbf3fbb7a2c9dcf3fa0aa9
-
SSDEEP
3072:TFj1dkqdNVwl28KihHci+HXgaEAKZLX/lZ0WXH1GjerTmJgND0EHiHyhx:9ktU8KsHciigLbZbXpXHRyJgkS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2896 av.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 av.exe -
Loads dropped DLL 2 IoCs
pid Process 2060 1.exe 2060 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\runas\command\IsolatedCommand = "\"%1\" %*" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\av.exe\" /START \"%1\" %*" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\DefaultIcon\ = "%1" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\runas\command\ = "\"%1\" %*" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\DefaultIcon\ = "%1" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\start\command av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\open\command\IsolatedCommand = "\"%1\" %*" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\runas\command av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\start\command av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\runas av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\start av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\runas\command av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\open av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\open\command av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\start\command\ = "\"%1\" %*" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\open\command av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\start\command\IsolatedCommand = "\"%1\" %*" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\Content Type = "application/x-msdownload" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\ = "Application" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\av.exe\" /START \"%1\" %*" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\runas av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\shell\start av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\DefaultIcon av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\open av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\Content Type = "application/x-msdownload" av.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\ = "secfile" av.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\secfile\DefaultIcon av.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2896 av.exe 2896 av.exe 2896 av.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2896 av.exe 2896 av.exe 2896 av.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2896 2060 1.exe 28 PID 2060 wrote to memory of 2896 2060 1.exe 28 PID 2060 wrote to memory of 2896 2060 1.exe 28 PID 2060 wrote to memory of 2896 2060 1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\av.exe"C:\Users\Admin\AppData\Local\av.exe" /GAV C:\Users\Admin\AppData\Local\Temp\1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD5f25b7e3d8113bfe04637132dc77e2495
SHA18912c9a543a4d1a617bd59f7c80b69ed17a6e04b
SHA256242162265a598cf3c4c0d04a999cdd5b63a9759a44787aab0d9dd8748c0525ec
SHA51208a8ac8159f3b8cd573042a5bdc70fc408c079a80f1962cdfb59bcb87888cb307a16e0b42c1ed7d6a6819835452480df842a9bff1fbbf3fbb7a2c9dcf3fa0aa9