Resubmissions
07-09-2024 11:17
240907-ndvx2s1gra 1007-09-2024 10:21
240907-mdzqkayhpb 1007-09-2024 10:21
240907-mdq4esyfnl 1005-09-2024 22:04
240905-1y2bsa1clp 1005-09-2024 21:37
240905-1gl6ja1bjb 1016-08-2024 00:38
240816-azcrpsvdqe 1016-08-2024 00:13
240816-ah5fdsyapm 1016-08-2024 00:04
240816-ac4a5sxglk 1015-08-2024 01:57
240815-cc95ssydlb 10Analysis
-
max time kernel
596s -
max time network
602s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 10:21
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
New Text Document mod.exse.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
New Text Document mod.exe
Resource
win10v2004-20240802-en
General
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Malware Config
Extracted
cryptbot
tventyv20sb.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation New Text Document mod.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Channel4.exe -
Executes dropped EXE 2 IoCs
pid Process 3180 Channel4.exe 228 service123.exe -
Loads dropped DLL 1 IoCs
pid Process 228 service123.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Channel4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Channel4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Channel4.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1332 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1792 New Text Document mod.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1792 wrote to memory of 3180 1792 New Text Document mod.exe 97 PID 1792 wrote to memory of 3180 1792 New Text Document mod.exe 97 PID 1792 wrote to memory of 3180 1792 New Text Document mod.exe 97 PID 3180 wrote to memory of 228 3180 Channel4.exe 98 PID 3180 wrote to memory of 228 3180 Channel4.exe 98 PID 3180 wrote to memory of 228 3180 Channel4.exe 98 PID 3180 wrote to memory of 1332 3180 Channel4.exe 99 PID 3180 wrote to memory of 1332 3180 Channel4.exe 99 PID 3180 wrote to memory of 1332 3180 Channel4.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\a\Channel4.exe"C:\Users\Admin\AppData\Local\Temp\a\Channel4.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:228
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD512bba7bf40ba77b0ab322d8626dab9aa
SHA1c3b6fab7181e78a09b8c348a0e27fec92764a21f
SHA256da7fadc671804e093c7dcad3455a266e77d2c84b641ae037c70004daaa05b897
SHA51271e164b56980206e81e49cf915d5f7a62767c04fa9dc8ffa1030e3ded81ce162f3045a9376841a70533b540e7d0391419ca72862191ed2a6fa20ac3349a54ce9