Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 02:34

General

  • Target

    ea0c1b448dfd94060600f75faab6f2bb929269cf1a6498859cff129353e5d7da.exe

  • Size

    3.2MB

  • MD5

    ff4188dc02e8d3dabea5b613c00d34cb

  • SHA1

    1bd4ef476c54795c28cb3acbaa44b2fbc4abc9ee

  • SHA256

    ea0c1b448dfd94060600f75faab6f2bb929269cf1a6498859cff129353e5d7da

  • SHA512

    14f0940053c2d0218e2ba325b585e20a5252ad57b29630a57607d4f70d390227148aa0bc366e4d57afc3cd7785d2e0ea9b7f9a96732a9699c346c9c3e39cc45a

  • SSDEEP

    49152:Fy6VlEbmYQ2gLOkmL35nZfmcb0Z7NANyu1DyTj9yMQoPwdCqp6aIrM1SI2ChbMTt:d5Okc35nlQN8y/JyQPHqp6Ribb2

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea0c1b448dfd94060600f75faab6f2bb929269cf1a6498859cff129353e5d7da.exe
    "C:\Users\Admin\AppData\Local\Temp\ea0c1b448dfd94060600f75faab6f2bb929269cf1a6498859cff129353e5d7da.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\ea0c1b448dfd94060600f75faab6f2bb929269cf1a6498859cff129353e5d7da.exe
      "C:\Users\Admin\AppData\Local\Temp\ea0c1b448dfd94060600f75faab6f2bb929269cf1a6498859cff129353e5d7da.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Keorznpzskp.tmpdb

    Filesize

    148KB

    MD5

    90a1d4b55edf36fa8b4cc6974ed7d4c4

    SHA1

    aba1b8d0e05421e7df5982899f626211c3c4b5c1

    SHA256

    7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

    SHA512

    ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

  • C:\Users\Admin\AppData\Local\Temp\Lkkycfrlef.tmpdb

    Filesize

    92KB

    MD5

    a58d87b023e155c10b4e15fdfc6fcb06

    SHA1

    0ee449b782aeac54c0406adde543f19ecd9dfd38

    SHA256

    331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61

    SHA512

    1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae

  • memory/2076-60-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-1058-0x0000000073FA0000-0x000000007468E000-memory.dmp

    Filesize

    6.9MB

  • memory/2076-0-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

    Filesize

    4KB

  • memory/2076-26-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-56-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-44-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-42-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-40-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-38-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-34-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-32-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-30-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-28-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-66-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-62-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-54-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-46-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-36-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-5-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-1043-0x00000000008E0000-0x0000000000934000-memory.dmp

    Filesize

    336KB

  • memory/2076-1042-0x0000000000610000-0x000000000065C000-memory.dmp

    Filesize

    304KB

  • memory/2076-1041-0x00000000069A0000-0x0000000006AC4000-memory.dmp

    Filesize

    1.1MB

  • memory/2076-68-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-64-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-4-0x0000000006430000-0x00000000065D4000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-3-0x0000000004EC0000-0x0000000005200000-memory.dmp

    Filesize

    3.2MB

  • memory/2076-58-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-52-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-50-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-48-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-1-0x0000000000940000-0x0000000000C7E000-memory.dmp

    Filesize

    3.2MB

  • memory/2076-24-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-22-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-20-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-18-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-16-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-14-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-12-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-10-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-8-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-6-0x0000000006430000-0x00000000065CD000-memory.dmp

    Filesize

    1.6MB

  • memory/2076-2-0x0000000073FA0000-0x000000007468E000-memory.dmp

    Filesize

    6.9MB

  • memory/4540-1059-0x0000000073FA0000-0x000000007468E000-memory.dmp

    Filesize

    6.9MB

  • memory/4540-3909-0x0000000004D70000-0x0000000004E0E000-memory.dmp

    Filesize

    632KB

  • memory/4540-3910-0x0000000005480000-0x00000000054CC000-memory.dmp

    Filesize

    304KB

  • memory/4540-3911-0x0000000000C90000-0x0000000000C9A000-memory.dmp

    Filesize

    40KB

  • memory/4540-3912-0x0000000005DB0000-0x0000000005E2A000-memory.dmp

    Filesize

    488KB

  • memory/4540-1060-0x0000000004BA0000-0x0000000004CAE000-memory.dmp

    Filesize

    1.1MB

  • memory/4540-1057-0x0000000000400000-0x00000000004D6000-memory.dmp

    Filesize

    856KB

  • memory/4540-3945-0x0000000073FA0000-0x000000007468E000-memory.dmp

    Filesize

    6.9MB