Analysis
-
max time kernel
23s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 17:46
Behavioral task
behavioral1
Sample
execute.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
execute.exe
Resource
win10v2004-20240802-en
General
-
Target
execute.exe
-
Size
303KB
-
MD5
7cfe3e4a9b6da9b158ebf7e0d1ab9945
-
SHA1
a238ffedd893f57dcfcd70fff18c37aef9fd416e
-
SHA256
cdcad2a6891cfaa9635c0718f3344280f8d02a78611bd6ca234e8bf22603613c
-
SHA512
006ef6f83b13afddf814226f00ddba4580f74939c9a051b9537bbe352cb213e4c366548927363f573d04bad69520c3b843b466fb86f700d2e9ef9caf2d33dd4b
-
SSDEEP
6144:9v9T6MDdbICydeBhbvsGfSDpbwko6jmA1D0Zi6:9vLFsGfSNsjY1DT6
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1264290240290361368/HDo7Noqy1EZnwf2Slhpj8GKIwaCmP_A66Af1DGldm_aCLel95CQQWcTbmmU_vwpsIMZr
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2660 execute.exe 2660 execute.exe 2660 execute.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2660 execute.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2928 2660 execute.exe 30 PID 2660 wrote to memory of 2928 2660 execute.exe 30 PID 2660 wrote to memory of 2928 2660 execute.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\execute.exe"C:\Users\Admin\AppData\Local\Temp\execute.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2660 -s 10922⤵PID:2928
-