Overview

overview

10

Static

static

10

1/0178b79b...bd.exe

windows11-21h2-x64

10

1/0280cde4...60.exe

windows11-21h2-x64

10

1/08b76206...65.exe

windows11-21h2-x64

10

1/0e4fc438...91.exe

windows11-21h2-x64

10

1/0fb86a8b...05.exe

windows11-21h2-x64

10

1/25898c73...8f.exe

windows11-21h2-x64

10

1/2c2e9491...3c.exe

windows11-21h2-x64

10

1/2ef0f582...2e.exe

windows11-21h2-x64

10

1/39884fc0...82.exe

windows11-21h2-x64

10

1/3a72ecec...8a.exe

windows11-21h2-x64

10

1/3bfcb4f7...71.exe

windows11-21h2-x64

10

1/4103411f...f5.exe

windows11-21h2-x64

10

1/4e0fdb84...95.exe

windows11-21h2-x64

3

1/5297372f...33.exe

windows11-21h2-x64

5

1/68292f38...e4.exe

windows11-21h2-x64

10

1/6da4696b...e5.exe

windows11-21h2-x64

7

1/7021c9cb...78.exe

windows11-21h2-x64

10

1/752f5cc5...60.exe

windows11-21h2-x64

10

1/7c7cded8...0c.exe

windows11-21h2-x64

10

1/97d29ffc...84.exe

windows11-21h2-x64

7

1/a306cc84...03.exe

windows11-21h2-x64

3

1/ae1a168f...74.exe

windows11-21h2-x64

7

1/b13f2364...d6.exe

windows11-21h2-x64

8

1/b2a1d168...9d.bat

windows11-21h2-x64

8

1/bb29aeb6...bd.exe

windows11-21h2-x64

8

1/c8e5a24a...f5.bat

windows11-21h2-x64

8

1/c9736cdc...97.exe

windows11-21h2-x64

8

1/d58780d1...a0.exe

windows11-21h2-x64

10

1/de19e016...d0.exe

windows11-21h2-x64

3

1/e886016e...51.exe

windows11-21h2-x64

10

1/f0f496ec...f4.bat

windows11-21h2-x64

8

1/f28599b0...23.exe

windows11-21h2-x64

10

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    3s
  • max time network
    9s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-08-2024 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1/752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe

  • Size

    2.2MB

  • MD5

    d35a5aff7f4b4a1d20e1495732c5ca6d

  • SHA1

    0573b56a43102c893a2a6c0ef61b870b575aeb97

  • SHA256

    752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060

  • SHA512

    c49d69553aa6287cc50b2d1e94b2a56cddc8882a44dcf832ae9f93e2972d44908141da776b44569f84ed85aee187ad06fe19a0a2af8c2bc425d6146e75816f4e

  • SSDEEP

    12288:In7kekBhy2rOJFoqTrlSwkm9mQ90zsx2Hgum4Ff8jbvTfI3:FU2cTTX9990Qx2bFFfGbvzI3

Score
10/10
collectioncredential_accessdiscoveryevasionexecutionstealertrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe
    "C:\Users\Admin\AppData\Local\Temp\1\752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1\752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4504
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4608
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1444
        3⤵
        • Program crash
        PID:3356
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      2⤵
        PID:3860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4608 -ip 4608
      1⤵
        PID:4768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkzbdjcl.j5a.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/4504-19-0x00007FFA0AC50000-0x00007FFA0B712000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4504-11-0x000001C400030000-0x000001C400052000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4504-22-0x00007FFA0AC50000-0x00007FFA0B712000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4504-15-0x00007FFA0AC50000-0x00007FFA0B712000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4504-16-0x00007FFA0AC50000-0x00007FFA0B712000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4608-5-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/4608-18-0x0000000005620000-0x00000000056BC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4608-17-0x0000000005BD0000-0x0000000006176000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4608-24-0x0000000006960000-0x0000000006B22000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4608-25-0x0000000006800000-0x0000000006850000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5028-1-0x000001CD322E0000-0x000001CD322FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5028-3-0x000001CD341A0000-0x000001CD3423C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/5028-4-0x00007FFA0AC50000-0x00007FFA0B712000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5028-0-0x00007FFA0AC53000-0x00007FFA0AC55000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5028-2-0x000001CD4CAC0000-0x000001CD4CADA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5028-23-0x00007FFA0AC50000-0x00007FFA0B712000-memory.dmp

        Filesize

        10.8MB

        Download