Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
Resource
win10v2004-20240802-en
General
-
Target
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe
-
Size
278KB
-
MD5
92ae7a1286d992e104c0072f639941f7
-
SHA1
d2c0fe4e7e9df1b4a9a4cd69e3167003e51c73b2
-
SHA256
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3
-
SHA512
bed93d1e09f576c52b231046cbf9a4ef81ebb2f68eaa6fc7b0eea889418e5f3af440fef5da55882b5535f26d994fdd34c288ba62e7fb033f5bd372cf752bb62b
-
SSDEEP
6144:S7iHIcfYlXolTFsr91vzWmUuNTuBjEKz7nwWYcEZoSNDyaN9b/7:FPYJolZsr9kjuNTuVFfnwHYSNGOb/7
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2556 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.execmd.exePING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 2556 cmd.exe 840 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.execmd.exedescription pid process target process PID 2656 wrote to memory of 2556 2656 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 2656 wrote to memory of 2556 2656 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 2656 wrote to memory of 2556 2656 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 2656 wrote to memory of 2556 2656 1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe cmd.exe PID 2556 wrote to memory of 840 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 840 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 840 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 840 2556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe"C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Users\Admin\AppData\Local\Temp\1771c4e6e34fda6a68c7b1d980cc3dffbe587c651f985bf7235c6af9a8904fd3.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:840
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1