Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 02:38
Behavioral task
behavioral1
Sample
b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe
Resource
win7-20240611-en
General
-
Target
b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe
-
Size
149KB
-
MD5
ee3b16d7188ad9b08cb1cbe52708b134
-
SHA1
946ec3b88c7eb1442512cd1ba450b05132e48dc6
-
SHA256
b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e
-
SHA512
2c1272dd493ff6361dcadfbbffc39aaa8c84a3a7b925597de0fa12381c045307943e7bb3827b5c22709c2be010c2d0e1036c79c5f933c58ee05acabb672ab542
-
SSDEEP
3072:vOWXtBuFND5H/QUszPu4bk5GB2fu3/X9e5FuZl1yotj3ZzQ2pw22sIq/L:vh9BuFND5H/QUszPrFBeuZl1yotj3Zzw
Malware Config
Signatures
-
Detect Xehook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1724-1-0x0000000000950000-0x000000000097C000-memory.dmp family_xehook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2604 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exedescription pid process Token: SeDebugPrivilege 1724 b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.execmd.exedescription pid process target process PID 1724 wrote to memory of 2604 1724 b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe cmd.exe PID 1724 wrote to memory of 2604 1724 b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe cmd.exe PID 1724 wrote to memory of 2604 1724 b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe cmd.exe PID 2604 wrote to memory of 2708 2604 cmd.exe PING.EXE PID 2604 wrote to memory of 2708 2604 cmd.exe PING.EXE PID 2604 wrote to memory of 2708 2604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe"C:\Users\Admin\AppData\Local\Temp\b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delete.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD5feee1759dda2bec5f505a2822ab15861
SHA1179963b1437fcf2ceb4ff7220ed1e04e8ca40259
SHA256b3c757fc656f50f9468eef860bc915cda1f3d2ca753902aa93ca9bcb4f7ecdae
SHA5121bad72b628575af2aa7ebdedee2fb73668afd0baea2f7bb7b77ef1237ac4119d0cb47746376b10c55f8a2c94e6eb45712f8e6d752b673be87ce4d06bc8bf08cd