Analysis
-
max time kernel
97s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 15:12
Static task
static1
Behavioral task
behavioral1
Sample
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
Resource
win11-20240802-en
General
-
Target
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
-
Size
278KB
-
MD5
92ae7a1286d992e104c0072f639941f7
-
SHA1
d2c0fe4e7e9df1b4a9a4cd69e3167003e51c73b2
-
SHA256
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3
-
SHA512
bed93d1e09f576c52b231046cbf9a4ef81ebb2f68eaa6fc7b0eea889418e5f3af440fef5da55882b5535f26d994fdd34c288ba62e7fb033f5bd372cf752bb62b
-
SSDEEP
6144:S7iHIcfYlXolTFsr91vzWmUuNTuBjEKz7nwWYcEZoSNDyaN9b/7:FPYJolZsr9kjuNTuVFfnwHYSNGOb/7
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4952 1916 WerFault.exe 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.execmd.exePING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 4292 cmd.exe 1164 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.execmd.exedescription pid process target process PID 1916 wrote to memory of 4292 1916 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 1916 wrote to memory of 4292 1916 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 1916 wrote to memory of 4292 1916 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 4292 wrote to memory of 1164 4292 cmd.exe PING.EXE PID 4292 wrote to memory of 1164 4292 cmd.exe PING.EXE PID 4292 wrote to memory of 1164 4292 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe"C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 15442⤵
- Program crash
PID:4952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 19161⤵PID:3528
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1