Overview

overview

10

Static

static

10

ConsoleApp...n2.exe

windows10-2004-x64

7

ConsoleApp...n2.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ConsoleApplication2.exe

  • Size

    4.4MB

  • MD5

    72f73734bb6dbf6381815d85d680fb8e

  • SHA1

    2a7c3855fc0e4a0813631946684a4173c425a266

  • SHA256

    8045c954475f76556ef8c7b3305af51f5c7c8359a527404266c9e980527c4396

  • SHA512

    96c3e0bef2224d5f5ebfe1d3880ecec1e120cfc56d6d978b91916332313e70c9167ed38204486640937912dff591e3e6faa72737e5e7a0441069087679e5b6f3

  • SSDEEP

    49152:d9vRNVGsS21WaeQc+4Vg/95kVM04UwF7mwY/yg57/7AxcH7snP3kPOxrKPG+OzX2:d9vRNVVtpvagb0kqIcPM+H

Score
7/10
discoveryexecutionspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe
    "C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 1.1.1.1
        3⤵
        • Runs ping.exe
        PID:3372
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic cpu get name
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:3076
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic os get Caption /value
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic os get Caption /value
          3⤵
            PID:4752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic path win32_VideoController get currentrefreshrate
            3⤵
              PID:3064
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4440
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Get-Content (Get-PSReadlineOption).HistorySavePath
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4216
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c tasklist
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3580
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              PID:2012
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c systeminfo
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3440
            • C:\Windows\SysWOW64\systeminfo.exe
              systeminfo
              3⤵
              • Gathers system information
              PID:224
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c netsh wlan show profile
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1668
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              3⤵
                PID:552
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
              2⤵
                PID:3392
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
                  3⤵
                    PID:3124
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
                  2⤵
                    PID:1124
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
                      3⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3264
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wmic os get Caption /value
                    2⤵
                      PID:984
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        wmic os get Caption /value
                        3⤵
                          PID:3776
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
                        2⤵
                          PID:832
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic csproduct get uuid
                            3⤵
                              PID:5104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c wmic os get Caption /value
                            2⤵
                              PID:2228
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                wmic os get Caption /value
                                3⤵
                                  PID:4376
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
                              1⤵
                                PID:4480

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                Filesize

                                1KB

                                MD5

                                def65711d78669d7f8e69313be4acf2e

                                SHA1

                                6522ebf1de09eeb981e270bd95114bc69a49cda6

                                SHA256

                                aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                SHA512

                                05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                376a29e9545dfe09d988d14374ccf899

                                SHA1

                                61ff8905a29cce1c97652fd3f81db8662e20de0a

                                SHA256

                                41bce43c07952d9b920ba1646193c69eca454f20724bb69f118a271bb856cdf3

                                SHA512

                                e563f063f6e2df293ea6768d9fc6cde170dda65ccfb9df4598c2c09b00a19a0f3e7770af8cdd90338d6a169553006a1b929173c214ccefe8ba14c03f3b693643

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                20KB

                                MD5

                                8c71d523605846544fa995d46ab0ff8b

                                SHA1

                                140ef9e3a21b28b128de6a29f2710bd31e20459f

                                SHA256

                                4b0b955009f1afcb4af5c8d141dfccb8bc298c837201a9902f5e9255d1329e57

                                SHA512

                                3bcfc06ec08590877a391130a5741ee3fd524e4c4b6133d35cb6f9fb41b7415eaa641626a4f3d68e14f62ead98125044c070774e23455b0217e6dc5b2219c7e9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ffmhkbe.1oi.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\kBHe2o6VAt469L69\Nagogy-Grabber (Admin).zip
                                Filesize

                                194KB

                                MD5

                                366b68313aa9534997a271a9d2e2c260

                                SHA1

                                8ba37a9064967babe7df301ae423f49f84e4d816

                                SHA256

                                a933ec16ad23a8a0863e545795dd38a7206f89d5a177954b0b8fd3ebf5315c9a

                                SHA512

                                b936d8bc6fc869365902ae35cac31897d82f59d396f85776278dfa3266bb236e172bb4666493d0dd6b0abdb8afd12fa6451125f1c36386f20a4ba6318fabedfe

                                Download Submit

                              • memory/3264-68-0x0000000006610000-0x000000000665C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/3264-66-0x0000000005E90000-0x00000000061E4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/4216-44-0x0000000007690000-0x0000000007D0A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/4216-43-0x0000000006F90000-0x0000000007006000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/4216-42-0x0000000006100000-0x0000000006144000-memory.dmp

                                Filesize

                                272KB

                                Download

                              • memory/4216-41-0x0000000005D30000-0x0000000005D7C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4216-39-0x00000000056A0000-0x00000000059F4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/4788-7-0x0000000005E80000-0x0000000005EE6000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/4788-13-0x0000000005F70000-0x00000000062C4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/4788-22-0x0000000006A40000-0x0000000006A5A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/4788-23-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/4788-24-0x0000000007E30000-0x00000000083D4000-memory.dmp

                                Filesize

                                5.6MB

                                Download

                              • memory/4788-27-0x0000000074C10000-0x00000000753C0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/4788-20-0x0000000074C10000-0x00000000753C0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/4788-19-0x0000000006690000-0x00000000066DC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4788-18-0x0000000006440000-0x000000000645E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/4788-21-0x00000000077E0000-0x0000000007876000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/4788-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4788-6-0x0000000005CA0000-0x0000000005D06000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/4788-5-0x0000000005590000-0x00000000055B2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/4788-4-0x00000000055F0000-0x0000000005C18000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/4788-3-0x0000000074C10000-0x00000000753C0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/4788-2-0x0000000074C10000-0x00000000753C0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/4788-1-0x0000000004F30000-0x0000000004F66000-memory.dmp

                                Filesize

                                216KB

                                Download