Analysis
-
max time kernel
136s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 09:01
Behavioral task
behavioral1
Sample
311476e365e80b02b44b55ddcf5865c4.exe
Resource
win7-20240708-en
General
-
Target
311476e365e80b02b44b55ddcf5865c4.exe
-
Size
68KB
-
MD5
311476e365e80b02b44b55ddcf5865c4
-
SHA1
d6fd497eb25234c77b2e8f672e292b5f9f760550
-
SHA256
a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235
-
SHA512
70ff8f50b54df097a456689eed6c6218b2bb9d8c9e9f46c7b6e5a9dc5060eb331ba36f13cde252758b049f5b4ac498abf2d2b5c256edaf5dd7c777274e31b231
-
SSDEEP
1536:x2vMlMpCPJeGnyJDBld71oCe10yf0cCGMyo+JM4Z8L6Q3hs1:x2vMlMp8JeoyJDBlZycdGMyoYM+/D
Malware Config
Extracted
arkei
Default
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 311476e365e80b02b44b55ddcf5865c4.exe -
Loads dropped DLL 3 IoCs
pid Process 2200 311476e365e80b02b44b55ddcf5865c4.exe 2200 311476e365e80b02b44b55ddcf5865c4.exe 2200 311476e365e80b02b44b55ddcf5865c4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2200-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2200-44-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2200-46-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2200-70-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 311476e365e80b02b44b55ddcf5865c4.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 311476e365e80b02b44b55ddcf5865c4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 311476e365e80b02b44b55ddcf5865c4.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2376 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2200 wrote to memory of 4948 2200 311476e365e80b02b44b55ddcf5865c4.exe 103 PID 2200 wrote to memory of 4948 2200 311476e365e80b02b44b55ddcf5865c4.exe 103 PID 2200 wrote to memory of 4948 2200 311476e365e80b02b44b55ddcf5865c4.exe 103 PID 4948 wrote to memory of 2376 4948 cmd.exe 105 PID 4948 wrote to memory of 2376 4948 cmd.exe 105 PID 4948 wrote to memory of 2376 4948 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe"C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2376
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:81⤵PID:5100
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c