Analysis

  • max time kernel
    297s
  • max time network
    301s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:40

General

  • Target

    85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

  • Size

    119KB

  • MD5

    b37058a1a6fa72cf11d4bda54e15790a

  • SHA1

    b8663b93cac0b88168d207fd648da5c2f9b775de

  • SHA256

    85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0

  • SHA512

    4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

  • SSDEEP

    3072:taz/aDPGTGEFCgfOUs9b1sYbj9udwbtkJjT17WfCSL:ttyfOUs9b1jEE

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
    "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2880
        • C:\Windows\system32\timeout.exe
          timeout /t 3
          3⤵
          • Delays execution with timeout.exe
          PID:2684
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2756
        • C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
          "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:2232
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                  PID:332
                • C:\Windows\system32\findstr.exe
                  findstr /R /C:"[ ]:[ ]"
                  5⤵
                    PID:700
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1340
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    5⤵
                      PID:1152
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show networks mode=bssid
                      5⤵
                        PID:2304
                      • C:\Windows\system32\findstr.exe
                        findstr "SSID BSSID Signal"
                        5⤵
                          PID:2108
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {8B35FAEC-F54F-435F-947B-38563E901DAA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2088
                  • C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
                    C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
                    2⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • outlook_office_path
                    • outlook_win_path
                    PID:568
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:804
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:660
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          4⤵
                            PID:1052
                          • C:\Windows\system32\findstr.exe
                            findstr /R /C:"[ ]:[ ]"
                            4⤵
                              PID:748
                          • C:\Windows\system32\cmd.exe
                            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2044
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              4⤵
                                PID:2380
                              • C:\Windows\system32\netsh.exe
                                netsh wlan show networks mode=bssid
                                4⤵
                                  PID:2280
                                • C:\Windows\system32\findstr.exe
                                  findstr "SSID BSSID Signal"
                                  4⤵
                                    PID:1760

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                              Filesize

                              70KB

                              MD5

                              49aebf8cbd62d92ac215b2923fb1b9f5

                              SHA1

                              1723be06719828dda65ad804298d0431f6aff976

                              SHA256

                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                              SHA512

                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                              Filesize

                              342B

                              MD5

                              00d6dfbb96bd00bb7d725f0b73ed1669

                              SHA1

                              87022defc02b654986f886350d58a2d96678ba3f

                              SHA256

                              2c7e7b9e733203f406ff51f3fba968df09dfc08c9744a80ba815a8f151b89e08

                              SHA512

                              1d3c8788c855c29354ca16dc5e734b295f1ce7252ff7e087a855791bfdf869e78eb8c84c71b088f4130ad309fc23ee472341f10d06e2de1910e3339f32f7b9b2

                            • C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

                              Filesize

                              119KB

                              MD5

                              b37058a1a6fa72cf11d4bda54e15790a

                              SHA1

                              b8663b93cac0b88168d207fd648da5c2f9b775de

                              SHA256

                              85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0

                              SHA512

                              4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

                            • C:\Users\Admin\AppData\Local\Temp\Tar309A.tmp

                              Filesize

                              181KB

                              MD5

                              4ea6026cf93ec6338144661bf1202cd1

                              SHA1

                              a1dec9044f750ad887935a01430bf49322fbdcb7

                              SHA256

                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                              SHA512

                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                            • C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat

                              Filesize

                              4B

                              MD5

                              543e83748234f7cbab21aa0ade66565f

                              SHA1

                              d09127a8d4c0c1e347fb707bd7bc7db0f3e98bd3

                              SHA256

                              966243b9a39f6ddeb9f55a905ff4b0b696423d6cae0a37eb07e090bae6d8d570

                              SHA512

                              b6e3a430add4705d2d5e51dca7ac35b43364ca4fb386e0b3da15fdb926289054640d0209666d5ae7d5e3d6528852163dcb330551c8145dd228ea5d1c1adc3d91

                            • memory/2224-9-0x0000000001190000-0x00000000011B4000-memory.dmp

                              Filesize

                              144KB

                            • memory/2412-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

                              Filesize

                              4KB

                            • memory/2412-1-0x0000000000910000-0x0000000000934000-memory.dmp

                              Filesize

                              144KB

                            • memory/2412-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2412-5-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

                              Filesize

                              9.9MB