Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 16:41
Static task
static1
Behavioral task
behavioral1
Sample
ff4188dc02e8d3dabea5b613c00d34cb.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ff4188dc02e8d3dabea5b613c00d34cb.exe
Resource
win10v2004-20240802-en
General
-
Target
ff4188dc02e8d3dabea5b613c00d34cb.exe
-
Size
3.2MB
-
MD5
ff4188dc02e8d3dabea5b613c00d34cb
-
SHA1
1bd4ef476c54795c28cb3acbaa44b2fbc4abc9ee
-
SHA256
ea0c1b448dfd94060600f75faab6f2bb929269cf1a6498859cff129353e5d7da
-
SHA512
14f0940053c2d0218e2ba325b585e20a5252ad57b29630a57607d4f70d390227148aa0bc366e4d57afc3cd7785d2e0ea9b7f9a96732a9699c346c9c3e39cc45a
-
SSDEEP
49152:Fy6VlEbmYQ2gLOkmL35nZfmcb0Z7NANyu1DyTj9yMQoPwdCqp6aIrM1SI2ChbMTt:d5Okc35nlQN8y/JyQPHqp6Ribb2
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ff4188dc02e8d3dabea5b613c00d34cb.exe Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exedescription pid Process procid_target PID 1528 set thread context of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 set thread context of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exeff4188dc02e8d3dabea5b613c00d34cb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff4188dc02e8d3dabea5b613c00d34cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff4188dc02e8d3dabea5b613c00d34cb.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exeff4188dc02e8d3dabea5b613c00d34cb.exepid Process 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 4564 ff4188dc02e8d3dabea5b613c00d34cb.exe 4564 ff4188dc02e8d3dabea5b613c00d34cb.exe 4564 ff4188dc02e8d3dabea5b613c00d34cb.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exeff4188dc02e8d3dabea5b613c00d34cb.exedescription pid Process Token: SeDebugPrivilege 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe Token: SeDebugPrivilege 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe Token: SeDebugPrivilege 4564 ff4188dc02e8d3dabea5b613c00d34cb.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exedescription pid Process procid_target PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4528 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 31 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 PID 1528 wrote to memory of 4564 1528 ff4188dc02e8d3dabea5b613c00d34cb.exe 32 -
outlook_office_path 1 IoCs
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exedescription ioc Process Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe -
outlook_win_path 1 IoCs
Processes:
ff4188dc02e8d3dabea5b613c00d34cb.exedescription ioc Process Key queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff4188dc02e8d3dabea5b613c00d34cb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff4188dc02e8d3dabea5b613c00d34cb.exe"C:\Users\Admin\AppData\Local\Temp\ff4188dc02e8d3dabea5b613c00d34cb.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\ff4188dc02e8d3dabea5b613c00d34cb.exe"C:\Users\Admin\AppData\Local\Temp\ff4188dc02e8d3dabea5b613c00d34cb.exe"2⤵PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\ff4188dc02e8d3dabea5b613c00d34cb.exe"C:\Users\Admin\AppData\Local\Temp\ff4188dc02e8d3dabea5b613c00d34cb.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4564
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
92KB
MD52ea63f0be3b2e943a7f51d7079dcca06
SHA13f62664b4ac4bfa59f3668f31c3b82428acd29f4
SHA256f6ba5e425749ce8f310fc68a6294bf02c2b867454384f5311f39dbe3826d40eb
SHA5128b8d8f2642b74fd12604816d4fe8cc9449f9df38ee2f669cdd0ac740449ef63ce7e1bbefb2f62829677d8d40f4c4544d0a260e4a62e7ae4c18a3396b8c23f485