Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 01:36

General

  • Target

    85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

  • Size

    119KB

  • MD5

    b37058a1a6fa72cf11d4bda54e15790a

  • SHA1

    b8663b93cac0b88168d207fd648da5c2f9b775de

  • SHA256

    85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0

  • SHA512

    4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

  • SSDEEP

    3072:taz/aDPGTGEFCgfOUs9b1sYbj9udwbtkJjT17WfCSL:ttyfOUs9b1jEE

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
    "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2680
        • C:\Windows\system32\timeout.exe
          timeout /t 3
          3⤵
          • Delays execution with timeout.exe
          PID:2596
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2748
        • C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
          "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:1740
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                  PID:592
                • C:\Windows\system32\findstr.exe
                  findstr /R /C:"[ ]:[ ]"
                  5⤵
                    PID:1144
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2924
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    5⤵
                      PID:2396
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show networks mode=bssid
                      5⤵
                        PID:1500
                      • C:\Windows\system32\findstr.exe
                        findstr "SSID BSSID Signal"
                        5⤵
                          PID:1016
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {516A6D92-DB09-48B2-903D-A145346237E1} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1396
                  • C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
                    C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
                    2⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • outlook_office_path
                    • outlook_win_path
                    PID:1876
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3060
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:1696
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          4⤵
                            PID:2508
                          • C:\Windows\system32\findstr.exe
                            findstr /R /C:"[ ]:[ ]"
                            4⤵
                              PID:2620
                          • C:\Windows\system32\cmd.exe
                            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2980
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              4⤵
                                PID:2788
                              • C:\Windows\system32\netsh.exe
                                netsh wlan show networks mode=bssid
                                4⤵
                                  PID:2644
                                • C:\Windows\system32\findstr.exe
                                  findstr "SSID BSSID Signal"
                                  4⤵
                                    PID:2776

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                              Filesize

                              70KB

                              MD5

                              49aebf8cbd62d92ac215b2923fb1b9f5

                              SHA1

                              1723be06719828dda65ad804298d0431f6aff976

                              SHA256

                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                              SHA512

                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                              Filesize

                              342B

                              MD5

                              44a8741dcef750c56dc9f1560a8327fa

                              SHA1

                              cdbee3cdc4482b83302196b053a9622b01159088

                              SHA256

                              b0870b084f4c4ceb70006e07cef55a57983d7b506de9608409965f559bc0d759

                              SHA512

                              b971dfed9f112a8e2cda21312985fce8e722aec5274e1bdf47457cc235de9d89b14e03ab45508ef9af2b02e59203e9bc7d505729f68b47aecc14eb3adc5f341f

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                              Filesize

                              342B

                              MD5

                              f987b544aa889cf6df8a1adf50c9ca41

                              SHA1

                              e531e4778ffc5d8ddce4fbdafb0a8e4009f543b8

                              SHA256

                              b88378a066c4dfc9f318efdae040171a7a4a3ec10c1efcf7c3b5853466da8bac

                              SHA512

                              8b054b5dd06930acede75d18a521ae4be8ec015fa279ac51276785257af4d50c0e932de7334429556f656980a0d219de89537a65bef214b3b6af86af59430505

                            • C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

                              Filesize

                              119KB

                              MD5

                              b37058a1a6fa72cf11d4bda54e15790a

                              SHA1

                              b8663b93cac0b88168d207fd648da5c2f9b775de

                              SHA256

                              85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0

                              SHA512

                              4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

                            • C:\Users\Admin\AppData\Local\Temp\Tar441A.tmp

                              Filesize

                              181KB

                              MD5

                              4ea6026cf93ec6338144661bf1202cd1

                              SHA1

                              a1dec9044f750ad887935a01430bf49322fbdcb7

                              SHA256

                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                              SHA512

                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                            • C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat

                              Filesize

                              4B

                              MD5

                              fea9c11c4ad9a395a636ed944a28b51a

                              SHA1

                              0ad0144e12526132b8bd147b23f0b12e971796f6

                              SHA256

                              153ebeeacf6b8a97825becc9658657e044db07ed9b9db6c4b997ef9c44c2e021

                              SHA512

                              0219b7c9eece7a84ba17c1efc52d4d911040962b9c3e300f56129e477b8b3c7fb4ba92825b5565062a6db776b23d3cabb7cd76313846833c347e8a7dd08f786b

                            • memory/2128-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

                              Filesize

                              4KB

                            • memory/2128-1-0x00000000008D0000-0x00000000008F4000-memory.dmp

                              Filesize

                              144KB

                            • memory/2128-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2128-5-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/2600-9-0x0000000001390000-0x00000000013B4000-memory.dmp

                              Filesize

                              144KB