Overview
overview
10Static
static
3IT01879020...df.exe
windows7-x64
10IT01879020...df.exe
windows10-2004-x64
8$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3General
-
Target
IT01879020517_uGIim_xml·pdf.exe
-
Size
494KB
-
Sample
240712-jczgmawepd
-
MD5
a4ada4d174edbc7a29ab1989d365cb08
-
SHA1
a8a5785534b6a05c0fda182ecad4c324c5255b31
-
SHA256
054a14f915649b7812d6677bdc110a078570d23417c8fcd96dcf67f7546a4bba
-
SHA512
5a1b2fa6e8dfd1c9eb1c76767cdb0d588b658bb00d1c644d5995d7af1024d497bdfea1ee095d7a86ee80f90d6a0dbfb8f4e7216ef5b07ba4c3a118057d269896
-
SSDEEP
12288:R0Nwzz8LtOAbgfIEYD0qoLjfZTU2V2kkN/4zY9U3Bbv:fzzSOAbP50BLrJU2Vn2/UR7
Static task
static1
Behavioral task
behavioral1
Sample
IT01879020517_uGIim_xml·pdf.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
IT01879020517_uGIim_xml·pdf.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
IT01879020517_uGIim_xml·pdf.exe
-
Size
494KB
-
MD5
a4ada4d174edbc7a29ab1989d365cb08
-
SHA1
a8a5785534b6a05c0fda182ecad4c324c5255b31
-
SHA256
054a14f915649b7812d6677bdc110a078570d23417c8fcd96dcf67f7546a4bba
-
SHA512
5a1b2fa6e8dfd1c9eb1c76767cdb0d588b658bb00d1c644d5995d7af1024d497bdfea1ee095d7a86ee80f90d6a0dbfb8f4e7216ef5b07ba4c3a118057d269896
-
SSDEEP
12288:R0Nwzz8LtOAbgfIEYD0qoLjfZTU2V2kkN/4zY9U3Bbv:fzzSOAbP50BLrJU2Vn2/UR7
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/BgImage.dll
-
Size
7KB
-
MD5
521df745a41f0b8164ffd01717cacbba
-
SHA1
dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74
-
SHA256
dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b
-
SHA512
c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe
-
SSDEEP
96:8eZ0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk4jnLiEQjJ3KxkP:tXBfjbUA/85q3wEh8uLmVLpmP
Score1/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
acbda33dd5700c122e2fe48e3d4351fd
-
SHA1
2c154baf7c64052ee712b7cdf9c36b7697dd3fc8
-
SHA256
943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
-
SHA512
d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
1c8b2b40c642e8b5a5b3ff102796fb37
-
SHA1
3245f55afac50f775eb53fd6d14abb7fe523393d
-
SHA256
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
-
SHA512
4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57
-
SSDEEP
96:o2DlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx4T8qndYv0PLE:o2p34z/x3sREskpx4dO0PLE
Score3/10 -
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1