Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

8

Analysis

  • max time kernel
    298s
  • max time network
    298s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 00:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfe4ef2a64994387cd195d13c7fb123e53e7741a16a09a5d32d74ef16f032e68.exe

  • Size

    5.5MB

  • MD5

    04a37e41e24d0ad8e500007a84f8547b

  • SHA1

    e10758ab7f52698278c919557f22454a8db36197

  • SHA256

    dfe4ef2a64994387cd195d13c7fb123e53e7741a16a09a5d32d74ef16f032e68

  • SHA512

    25970ff89b29479b12e4b886bd55dc2a2d9e603020cb08f92a177be3458deec86ebfd2b4b0fba71a18bc35a63c8081c4fb7bddd69dfb5897f081181168c5cf94

  • SSDEEP

    98304:aLneSU1WBwQe5qHiFUuM2i3I22xBme3sANiAuGItbKRnGYEGngBKdUzvJA:aLneSFad5qfsxPFeuRTO0KdA

Score
10/10
collectionevasionexecutionspyware

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Loads dropped DLL 14 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfe4ef2a64994387cd195d13c7fb123e53e7741a16a09a5d32d74ef16f032e68.exe
    "C:\Users\Admin\AppData\Local\Temp\dfe4ef2a64994387cd195d13c7fb123e53e7741a16a09a5d32d74ef16f032e68.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Loads dropped DLL
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

2
T1114

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rrerhsoi
    Filesize

    46KB

    MD5

    b13fcb3223116f6eec60be9143cae98b

    SHA1

    9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

    SHA256

    961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

    SHA512

    89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

    Download Submit
  • \Program Files\Mozilla Firefox\firefox.exe
    Filesize

    654KB

    MD5

    1fd347ee17287e9c9532c46a49c4abc4

    SHA1

    ad5d9599030bfbcc828c4321fffd7b9066369393

    SHA256

    912373af6f3c176b7e0a71c986d6288f76f5be80de7c9a580b110690271e9237

    SHA512

    9e52622077e805fcff2c6fe510524bf9ca7246da9ef42843041e82ced28b59163a2729335139df9e2d2a4c748ed56471bb053f337655a77d2d0976370f07acf4

    Download Submit
  • memory/2044-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2044-76-0x0000000000400000-0x0000000000466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2044-77-0x0000000000400000-0x0000000000466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2044-75-0x0000000000400000-0x0000000000466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2044-48-0x0000000000400000-0x0000000000466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2044-49-0x0000000000400000-0x0000000000466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2044-51-0x0000000000400000-0x0000000000466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2044-54-0x0000000000400000-0x0000000000466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2260-66-0x0000000063280000-0x00000000634BE000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/2260-72-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-142-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-83-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-82-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-81-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-74-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-68-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-70-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-73-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-26-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-30-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-34-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-38-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-28-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-32-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-36-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-44-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-42-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-40-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-71-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-67-0x000000006E600000-0x000000006E69D000-memory.dmp
    Filesize

    628KB

    Download
  • memory/2260-65-0x00000000029B0000-0x0000000002ED1000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/2260-64-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-62-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-61-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2260-60-0x0000000000400000-0x0000000000798000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/2440-24-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2440-19-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2440-59-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2440-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2440-23-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2440-13-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2440-9-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2440-21-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2440-58-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2440-57-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2440-15-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2440-25-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2440-78-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2440-11-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2452-63-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2452-5-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2452-6-0x0000000004470000-0x000000000448A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2452-4-0x00000000744CE000-0x00000000744CF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2452-3-0x00000000059C0000-0x0000000005A04000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2452-0-0x00000000744CE000-0x00000000744CF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2452-18-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2452-8-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2452-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2452-1-0x0000000000230000-0x00000000007C0000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2452-7-0x00000000044A0000-0x00000000044A6000-memory.dmp
    Filesize

    24KB

    Download