Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
02/06/2024, 17:47
General
-
Target
6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6.exe
-
Size
1.5MB
-
MD5
2f9e962a158e693ca6a80fbfa838a398
-
SHA1
3af4f9c301ee4a3909eb1c0e1a560d4737911861
-
SHA256
6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6
-
SHA512
02fb6471665c2919377e33df1d619a2fb82b66daffeb064030dfbde49a537a254660ee598b08bbfa1ba7a4eb9eaa452c27d69d42e834bec78dd5234d786fe9d3
-
SSDEEP
49152:II7+pxQKbNfnODWE1y0W7eO4JZ4HNW9EYEkfX:II7+pxnx8wFP4J4WWYEWX
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6.exe"C:\Users\Admin\AppData\Local\Temp\6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Accounts.ControlRCP_ruzxpnew4af\6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6.exe"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Accounts.ControlRCP_ruzxpnew4af\6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Accounts.ControlRCP_ruzxpnew4af\6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Accounts.ControlRCP_ruzxpnew4af\6f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269B
MD549a664e7abae4fe62986418255a80b22
SHA1a3f28d1ecda62ebd740e198afaa1b240d9aaa3a7
SHA256faec90d15ebefaed1139a98269907348567994807e891faf2a3002da58a7fc24
SHA512fc7496bc251eb5cff3301717d2a1ccf28cb0c5c3ea3065c643a465011cc2dd31825895079af73a9a0a84feb55d49c9ae75e852ab66cc11013bfa5a57b2723fdb
-
Filesize
1.5MB
MD52f9e962a158e693ca6a80fbfa838a398
SHA13af4f9c301ee4a3909eb1c0e1a560d4737911861
SHA2566f8e28de8a556a784361870ad03cbcfcd664072ce2be4f2d42cd3b19158238c6
SHA51202fb6471665c2919377e33df1d619a2fb82b66daffeb064030dfbde49a537a254660ee598b08bbfa1ba7a4eb9eaa452c27d69d42e834bec78dd5234d786fe9d3
-
Filesize
1.5MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
1.0MB
-
Filesize
712KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
352KB
-
Filesize
6.9MB
-
Filesize
1.5MB