Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 16:41
Static task
static1
Behavioral task
behavioral1
Sample
nyen2eabmfb.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
nyen2eabmfb.exe
Resource
win10v2004-20240802-en
General
-
Target
nyen2eabmfb.exe
-
Size
1.3MB
-
MD5
7ce622cc13886a55bfce9bcc088c8dc6
-
SHA1
6aa21ea3cbd05b2727c2f7cd5328532d617c0dd0
-
SHA256
994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397
-
SHA512
d824d400f0663b3c7ad2a81a4fc449b78d1a01e97517168245716d2b454c7fc4e1bbc09af56a9913462626184a5db0b6f65ce77f2d5eb1ed39c5ed3bb505efad
-
SSDEEP
24576:fF6kcnUDuwg5tW2l8Ye01R7E/k3vy8OKtlm0PDwVOt3PAThh9qAM:0Lnw69lLeOhbq+GOt3PO5dM
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
pid Process 2516 Insidious_protected.exe -
Loads dropped DLL 9 IoCs
pid Process 2696 nyen2eabmfb.exe 2696 nyen2eabmfb.exe 2696 nyen2eabmfb.exe 2696 nyen2eabmfb.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2516 Insidious_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2648 2516 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nyen2eabmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Insidious_protected.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2516 Insidious_protected.exe 2516 Insidious_protected.exe 2516 Insidious_protected.exe 2516 Insidious_protected.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2516 Insidious_protected.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2516 Insidious_protected.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2516 2696 nyen2eabmfb.exe 30 PID 2696 wrote to memory of 2516 2696 nyen2eabmfb.exe 30 PID 2696 wrote to memory of 2516 2696 nyen2eabmfb.exe 30 PID 2696 wrote to memory of 2516 2696 nyen2eabmfb.exe 30 PID 2696 wrote to memory of 2516 2696 nyen2eabmfb.exe 30 PID 2696 wrote to memory of 2516 2696 nyen2eabmfb.exe 30 PID 2696 wrote to memory of 2516 2696 nyen2eabmfb.exe 30 PID 2516 wrote to memory of 2648 2516 Insidious_protected.exe 31 PID 2516 wrote to memory of 2648 2516 Insidious_protected.exe 31 PID 2516 wrote to memory of 2648 2516 Insidious_protected.exe 31 PID 2516 wrote to memory of 2648 2516 Insidious_protected.exe 31 PID 2516 wrote to memory of 2648 2516 Insidious_protected.exe 31 PID 2516 wrote to memory of 2648 2516 Insidious_protected.exe 31 PID 2516 wrote to memory of 2648 2516 Insidious_protected.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\nyen2eabmfb.exe"C:\Users\Admin\AppData\Local\Temp\nyen2eabmfb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\Insidious_protected.exe"C:\Users\Admin\AppData\Local\Temp\Insidious_protected.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 12083⤵
- Loads dropped DLL
- Program crash
PID:2648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
1.2MB
MD5d9ccde3b728fba6d6e3f1b92c75a11a8
SHA1b0bbe87ae7519b5d6dcd7f6282e891922971942d
SHA256d5a18b44a40e9bc1952bce6e187b81926ffd358aa5ebe95921cde2b9a72b172f
SHA512738f1b568009a6df2fcaf2f1c8aba6aee91b4a66474e095d6e483b72ebf1d5309d33908dd1531407a69520b657bdfa75c6b3eda796c20bf1542b632030e58db4