Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 22:24
Behavioral task
behavioral1
Sample
Program+AV.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Program+AV.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Program+NoAV.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Program+NoAV.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
Program-AV.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Program-AV.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Program-NoAV.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
Program-NoAV.exe
Resource
win10v2004-20240709-en
General
-
Target
Program-AV.exe
-
Size
481KB
-
MD5
388081326284408e001afd75a487e7ec
-
SHA1
e2893916edaec8a1983c7f9003d8eff2092d644a
-
SHA256
b41f23e98e5fbac64219b9e40408cf5aaf7cf3b0dc3a28a91b179cdbc1d5146d
-
SHA512
18039cb21b0a37a47dc60e2185bc2d2975d25cd04ae74cf194625be8467d8609bbe09f640d16d89a0b18e2b8ee8f4fb9da96a6faefbb585ec83c0c28cfab7c44
-
SSDEEP
6144:x0jUca5+gfpUOiQLTTwBCtaJppYWH/JskNAVNeN584eeD14ootXCAlAVPg:x0Yco+gunQUBCEAWfykqVNeN24ezlAtg
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
amirmahyarhacker
Signatures
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral6/memory/2352-26-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral6/memory/2652-38-0x0000000000400000-0x0000000000425000-memory.dmp Nirsoft behavioral6/memory/5856-45-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral6/memory/5136-54-0x0000000000400000-0x000000000043D000-memory.dmp Nirsoft behavioral6/memory/3104-62-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral6/memory/1496-66-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 2312 netsh.exe -
Executes dropped EXE 6 IoCs
Processes:
dialup.exepasswordfox.exemspass.exeiepv.exeChromePass.exeOperaPassView.exepid Process 2352 dialup.exe 1496 passwordfox.exe 2652 mspass.exe 5856 iepv.exe 5136 ChromePass.exe 3104 OperaPassView.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral6/files/0x000b0000000233b9-20.dat upx behavioral6/memory/2352-21-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral6/memory/2352-26-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral6/files/0x00080000000233ca-29.dat upx behavioral6/memory/1496-31-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral6/files/0x00080000000233cb-34.dat upx behavioral6/memory/2652-35-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral6/memory/2652-38-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral6/files/0x00080000000233cd-41.dat upx behavioral6/memory/5856-43-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral6/memory/5856-45-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral6/files/0x00080000000233d1-48.dat upx behavioral6/memory/5136-49-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral6/memory/5136-54-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral6/files/0x00080000000233d2-57.dat upx behavioral6/memory/3104-59-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral6/memory/3104-62-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral6/memory/1496-66-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Program-AV.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Program-AV.exe" Program-AV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Program-AV.exe" Program-AV.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 59 whatismyip.com -
Drops file in System32 directory 2 IoCs
Processes:
Program-AV.exedescription ioc Process File created C:\Windows\system32\Program-AV.exe Program-AV.exe File opened for modification C:\Windows\system32\Program-AV.exe Program-AV.exe -
Drops file in Windows directory 1 IoCs
Processes:
Program-AV.exedescription ioc Process File opened for modification C:\Windows\FIPWTUZL7-16-2024---10-25-31---PM.gif Program-AV.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Program-AV.exemspass.exepid Process 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 4452 Program-AV.exe 2652 mspass.exe 2652 mspass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Program-AV.exepid Process 4452 Program-AV.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Program-AV.exemspass.exeiepv.exedescription pid Process Token: SeDebugPrivilege 4452 Program-AV.exe Token: SeDebugPrivilege 2652 mspass.exe Token: SeDebugPrivilege 5856 iepv.exe Token: SeRestorePrivilege 5856 iepv.exe Token: SeBackupPrivilege 5856 iepv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Program-AV.exepid Process 4452 Program-AV.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Program-AV.exedescription pid Process procid_target PID 4452 wrote to memory of 2312 4452 Program-AV.exe 87 PID 4452 wrote to memory of 2312 4452 Program-AV.exe 87 PID 4452 wrote to memory of 2352 4452 Program-AV.exe 102 PID 4452 wrote to memory of 2352 4452 Program-AV.exe 102 PID 4452 wrote to memory of 2352 4452 Program-AV.exe 102 PID 4452 wrote to memory of 1496 4452 Program-AV.exe 103 PID 4452 wrote to memory of 1496 4452 Program-AV.exe 103 PID 4452 wrote to memory of 1496 4452 Program-AV.exe 103 PID 4452 wrote to memory of 2652 4452 Program-AV.exe 104 PID 4452 wrote to memory of 2652 4452 Program-AV.exe 104 PID 4452 wrote to memory of 2652 4452 Program-AV.exe 104 PID 4452 wrote to memory of 5856 4452 Program-AV.exe 105 PID 4452 wrote to memory of 5856 4452 Program-AV.exe 105 PID 4452 wrote to memory of 5856 4452 Program-AV.exe 105 PID 4452 wrote to memory of 5136 4452 Program-AV.exe 106 PID 4452 wrote to memory of 5136 4452 Program-AV.exe 106 PID 4452 wrote to memory of 5136 4452 Program-AV.exe 106 PID 4452 wrote to memory of 3104 4452 Program-AV.exe 107 PID 4452 wrote to memory of 3104 4452 Program-AV.exe 107 PID 4452 wrote to memory of 3104 4452 Program-AV.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\Program-AV.exe"C:\Users\Admin\AppData\Local\Temp\Program-AV.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SYSTEM32\netsh.exe"netsh.exe" firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\dialup.exeC:\Users\Admin\AppData\Local\Temp\dialup.exe /stext C:\Users\Admin\AppData\Local\Temp\du.txt2⤵
- Executes dropped EXE
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\passwordfox.exeC:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt2⤵
- Executes dropped EXE
PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\mspass.exeC:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\mess.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\iepv.exeC:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\iepv.txt2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
-
C:\Users\Admin\AppData\Local\Temp\ChromePass.exeC:\Users\Admin\AppData\Local\Temp\ChromePass.exe /stext C:\Users\Admin\AppData\Local\Temp\ChromePass.txt2⤵
- Executes dropped EXE
PID:5136
-
-
C:\Users\Admin\AppData\Local\Temp\OperaPassView.exeC:\Users\Admin\AppData\Local\Temp\OperaPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\OperaPassView.txt2⤵
- Executes dropped EXE
PID:3104
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD59b3b1c0db965166319469b2afa6c4f0c
SHA19f1e65a3056dff872949329c4e5e70c007cc5621
SHA256dbfa10a7deeb6d1ac8fd95ffeb23b87adc58e6388e522812fabe7f710e3cdd89
SHA512c11512599b83fa1875a67915a7e7454512ed8300a0a47c16692ebc1f526755c39c795fe9721dd97d417bfcb29f9e4c1f3283cf4c426af6571b3996005f7e4f5e
-
Filesize
38KB
MD537a89021ab1fbe5668c3974abc794bd4
SHA18ccaa4406f907a5a938fbb2db9d5af27092b811d
SHA2562cb9a3d9587f79a6b1cfa95020b81d7d0d3cf9aa6ebf992f3b5e4ecf19bca8a8
SHA5126eaef2c2c29eb5363a0193489dc989527e4087c61fe926efbbd8a0e3cc8b9675285a94d392ee0a906dfc109566cc144ab07166fd5b3defbfc8afd66d3fe8d1b8
-
Filesize
37KB
MD59c8872c879d0a9d82988920488370864
SHA187ff4231547462e6474c832e28831dd691d83fd4
SHA2568f576d5191721f8fdb47bb22950f43fc8f2c9cc880fe067090ed96e6fcb07a97
SHA5123c413427c46ef92a412840479896841ffd5c6eb9215b8ecc416cdbd4f8e0f2eb643ed3b7f2e18eb5710ba7c55e1cd82af6637285ee364e069503c5ecc187cb2e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
42KB
MD528c110b8d0ad095131c8d06043678086
SHA1c684cf321e890e0e766a97609a4cde866156d6c5
SHA256dbc2216d5f31f5218e940e3d802998dee90eeb69af69cbeb063c69c6a5a3f1e1
SHA512065e043b76b0e1163e73f4a1c257bae793ae9b46bff1951956c2174ef91deb2528730da77aab76b9e7246d705c3b8c1d23f05dc3b161cacabf3e52d0f563c922
-
Filesize
63KB
MD5fbb93d4c91453b06414d6973152d904e
SHA14624232c5450e7e9e7ba1f2113a07f8800dc5b5f
SHA2568898b138a3f238fa985992a9d0e48f6b5865dd2cc35e08b83fa326260c510ffe
SHA5124ed926d230af576a945bdd4d9b2d4001e8036abbcf1ef9a35669823d9420b6d95b426d80384a6fd022165c1fc2485fda0e28193b99b301927236928ddfcac6f7
-
Filesize
37KB
MD5a1d6a37917dcf4471486bc5a0e725cc6
SHA15b09f10dc215078ae44f535de12630c38f3b86e3
SHA2568a06acd1158060a54d67098f07c1ff7895f799bc5834179b8aae04d28fb60e17
SHA5125798a5d85052d5c2f6b781b91a400c85bc96c0127cc4e18079bff1f17bd302dc07c0f015ddf1105621a841680057322eb0172ba06063f55d795b7b079f1d26d2