Overview

overview

10

Static

static

10

ConsoleApp...n2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2024 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ConsoleApplication2.exe

  • Size

    4.4MB

  • MD5

    0ca8aa48b388cea42d4bb0ce88803812

  • SHA1

    ceaa6b628cbf30643f949ebc7b2f4ff23f6ea5d8

  • SHA256

    7064657d8e05bb053fa2b4ef7a62f7beb5e5d9cdf8ea9fb7a4843b8b7f75ebd4

  • SHA512

    3012f06e214c9c5a332c239b51ad28eed7c8deb3c695ce722d4a69049ad5000db189a3ee5a892f36a0b364c2b036552fa848d09121e54b5fde4f76ee63e658f3

  • SSDEEP

    49152:sNvbISk4hciT/TbZJtvrOxPP1f1RcH8/8MmoF37whddkK0ZdfNN3PPETzApHLN+z:sNvUSk4hxTDUtR8ifTEgH

Score
7/10
discoveryexecutionspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe
    "C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 1.1.1.1
        3⤵
        • Runs ping.exe
        PID:4496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Detects videocard installed
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic cpu get name
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic os get Caption /value
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic os get Caption /value
          3⤵
            PID:2276
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic path win32_VideoController get currentrefreshrate
            3⤵
              PID:3104
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3504
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Get-Content (Get-PSReadlineOption).HistorySavePath
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3332
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c tasklist
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:684
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              PID:1540
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c systeminfo
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1576
            • C:\Windows\SysWOW64\systeminfo.exe
              systeminfo
              3⤵
              • Gathers system information
              PID:3540
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c netsh wlan show profile
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3588
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              3⤵
                PID:4784
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
              2⤵
                PID:4676
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
                  3⤵
                    PID:4708
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
                  2⤵
                    PID:1176
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
                      3⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1352
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c wmic os get Caption /value
                    2⤵
                      PID:3212
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        wmic os get Caption /value
                        3⤵
                          PID:832
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
                        2⤵
                          PID:4648
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic csproduct get uuid
                            3⤵
                              PID:1828
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c wmic os get Caption /value
                            2⤵
                              PID:1316
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                wmic os get Caption /value
                                3⤵
                                  PID:4660

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                              Filesize

                              1KB

                              MD5

                              def65711d78669d7f8e69313be4acf2e

                              SHA1

                              6522ebf1de09eeb981e270bd95114bc69a49cda6

                              SHA256

                              aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                              SHA512

                              05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              18KB

                              MD5

                              68c6299a63a550f147dcad3577b9e65b

                              SHA1

                              2dcc5f2ca150501dd6da459d8555fc261a3d3f8c

                              SHA256

                              edd86f141e02bb79597dda78440617115063af0be0e0e2fa2cbc49e04c33d078

                              SHA512

                              80cbd7bdd70821cc046ca3a6cb2f5ee6ddbd7abdb698ddb3f334e625046682a9bb3655bc736fdc6791f9e1be99693b2c8486fb80acec73364f8053f6ad9850d9

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              20KB

                              MD5

                              806e817d8513c2ae63bf49d27e68f0db

                              SHA1

                              81746aa7bec7474d176d075f804014f02feb6c73

                              SHA256

                              25f94b7045b9521e64239390e001a1cead3d3e5d4c994f89ce3714bb3b93c34d

                              SHA512

                              3c8aefe7d9f7cc2d0756461d2f2acec7604b682d1ad2a1190716f612730920f4bde0ffd6d77d01679048b00ec1215cb2f88f040b63f0d9a95d01d789db0e6974

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\QgbDIB6lTidMp9x4\Nagogy-Grabber (Admin).zip
                              Filesize

                              199KB

                              MD5

                              9ae6a7bad65877e3285a92d36d5f7fbc

                              SHA1

                              724ffaba46549ea243b597bf0cccfcdfef52dd99

                              SHA256

                              c1bfe9d62c28ac5a4e6e004a19e6a4dc3fe7a5519b9dfd180fbe32e0a2ca3034

                              SHA512

                              80897bc78f0f86733131c91a218faf3944194e49dc6b23a32addfab818a72359ad8effbfff198e37321a40c80ab176c4cb6191ebcb40d074238eab81820c983d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qz5m0t25.ik2.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • memory/1284-25-0x0000000074370000-0x0000000074B20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/1284-6-0x0000000006030000-0x0000000006096000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/1284-4-0x00000000056C0000-0x00000000056E2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1284-16-0x00000000061A0000-0x00000000064F4000-memory.dmp

                              Filesize

                              3.3MB

                              Download

                            • memory/1284-17-0x0000000006690000-0x00000000066AE000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/1284-18-0x00000000066D0000-0x000000000671C000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/1284-19-0x0000000006C50000-0x0000000006CE6000-memory.dmp

                              Filesize

                              600KB

                              Download

                            • memory/1284-21-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/1284-5-0x0000000005DD0000-0x0000000005E36000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/1284-22-0x0000000007CF0000-0x0000000008294000-memory.dmp

                              Filesize

                              5.6MB

                              Download

                            • memory/1284-1-0x0000000002D70000-0x0000000002DA6000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/1284-0-0x000000007437E000-0x000000007437F000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1284-20-0x0000000006B60000-0x0000000006B7A000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/1284-3-0x0000000005730000-0x0000000005D58000-memory.dmp

                              Filesize

                              6.2MB

                              Download

                            • memory/1284-2-0x0000000074370000-0x0000000074B20000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/1352-64-0x0000000005A80000-0x0000000005DD4000-memory.dmp

                              Filesize

                              3.3MB

                              Download

                            • memory/1352-66-0x0000000006080000-0x00000000060CC000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/3332-40-0x00000000062B0000-0x00000000062F4000-memory.dmp

                              Filesize

                              272KB

                              Download

                            • memory/3332-41-0x0000000007160000-0x00000000071D6000-memory.dmp

                              Filesize

                              472KB

                              Download

                            • memory/3332-42-0x0000000007860000-0x0000000007EDA000-memory.dmp

                              Filesize

                              6.5MB

                              Download

                            • memory/3332-39-0x00000000063F0000-0x000000000643C000-memory.dmp

                              Filesize

                              304KB

                              Download

                            • memory/3332-37-0x00000000058E0000-0x0000000005C34000-memory.dmp

                              Filesize

                              3.3MB

                              Download