Analysis
-
max time kernel
62s -
max time network
67s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
08-06-2024 13:34
General
-
Target
ConsoleApplication2.exe
-
Size
4.4MB
-
MD5
a0f170a09dcc8f9161efe47a518d5a01
-
SHA1
3fefa661fb68a1dd43ddff16202650e0b26ecb20
-
SHA256
06ab5377341cf38c3a3c6628b5bf91d545b7dcd153c629d5025582274a371f43
-
SHA512
eaefca62badab468db04dd77812318d50fab36fbc2ce7f2c08163dbda08207c2734a0829793fdacf5c2ac4c3de5d96c6f53f6d0555e5e6f6f145cef810257c44
-
SSDEEP
49152:M9v90k5HkzhwSUiUCAOygB+fEjGDYG12089DZujZGUOutEdNkzRvP61crzPBdWzc:M9v90kOnU7OyYjQsuhVPtd
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.13⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get name2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get currentrefreshrate3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-Content (Get-PSReadlineOption).HistorySavePath3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh wlan show profile2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
Filesize
18KB
MD585036561421ae49479d1b358c766ea67
SHA1cb395ef875dbbadb320eebb99c14035c5896c96d
SHA2568365b3b8650502ecc62be011ead8b92c6728081fc6a709153c4de9eff0475ddc
SHA51243f1808d425bcc65531ef79aaf589d136da0b0a093d6075bcfb0fb4936271d91fb71d4b3b4965440f8fa71fd1a18b54fce50215a39f27c7e7e36ee841196e4f6
-
Filesize
18KB
MD59e1ebcde1c5f1cce79cf8e9dce888f69
SHA134e096ca42a2395148e81849dd95fb5e95423621
SHA25621654195087df0c314773151bf2db21e486b98a7f3b5c252c877803269be3a19
SHA512567080314314b1449f6c4a525afd73b552c9f0cf60f1d178e45eba895790f0e6ba17c3eb828e5599c3ddef8b66f203ae668b6f261d3dc921c4dfcc2b60a1ba6a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
195KB
MD5616905862bcb7dddf4e71c5390046e30
SHA13ece26d7954604ecc5086e5813a727e553c9b1d8
SHA2560b0df3e7d4c3a8dff3261e3a798874935b9b3858edb72b247dd1f195bf6ba172
SHA51204eeace18d0753de44e5666da4c7ade18a9993733917e5180be6294e44d6dd2865a72262069098781f3ae84299b914c513def3680faf222bada92edf05119554
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
304KB
-
Filesize
3.3MB