Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 01:24
Behavioral task
behavioral1
Sample
a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe
Resource
win7-20240708-en
General
-
Target
a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe
-
Size
68KB
-
MD5
311476e365e80b02b44b55ddcf5865c4
-
SHA1
d6fd497eb25234c77b2e8f672e292b5f9f760550
-
SHA256
a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235
-
SHA512
70ff8f50b54df097a456689eed6c6218b2bb9d8c9e9f46c7b6e5a9dc5060eb331ba36f13cde252758b049f5b4ac498abf2d2b5c256edaf5dd7c777274e31b231
-
SSDEEP
1536:x2vMlMpCPJeGnyJDBld71oCe10yf0cCGMyo+JM4Z8L6Q3hs1:x2vMlMp8JeoyJDBlZycdGMyoYM+/D
Malware Config
Extracted
arkei
Default
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 2564 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 2148 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe 2148 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe 2148 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2148-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2148-1-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2148-53-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2596 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2564 2148 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe 32 PID 2148 wrote to memory of 2564 2148 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe 32 PID 2148 wrote to memory of 2564 2148 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe 32 PID 2148 wrote to memory of 2564 2148 a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe 32 PID 2564 wrote to memory of 2596 2564 cmd.exe 34 PID 2564 wrote to memory of 2596 2564 cmd.exe 34 PID 2564 wrote to memory of 2596 2564 cmd.exe 34 PID 2564 wrote to memory of 2596 2564 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe"C:\Users\Admin\AppData\Local\Temp\a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a1e0a1c53824bb1d9d0adcaa6a8e8e2f5bef673b0981807a5775a182f28fe235.exe" & exit2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c