Analysis
-
max time kernel
90s -
max time network
98s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-09-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
fuck.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fuck.exe
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
fuck.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
fuck.exe
Resource
win11-20240802-en
General
-
Target
fuck.exe
-
Size
480KB
-
MD5
041ab886cac2a8e2b79fc486390d5510
-
SHA1
30625cd6be8c5c2603cae540034948aa71022d97
-
SHA256
4f179bb1925c0adf5cb44697a3f0986bd17bc65de686084641ef22c0a75b0a28
-
SHA512
7aa4a6dc2c168c9b8de6ddc4f14f632f6d42017f46acc6dbb23b12969c03d9d17def89f062b4a37354691e06f227f4f4d95ef0c2f87b3b798bf58836ae10e6e4
-
SSDEEP
12288:U+En/eRuTRgPZOZUtRJbZTzPk99GstRUvo9PR0KZYEDop5k5q70zlDbjflq54GaT:ejTREtRJb9TT
Malware Config
Extracted
xehook
2.1.5 Stable
https://t.me/+w897k5UK_jIyNDgy
-
id
301
-
token
xehook301447049203312
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
Processes:
fuck.exepid process 5112 fuck.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fuck.exedescription pid process target process PID 5112 set thread context of 3572 5112 fuck.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fuck.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3572 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fuck.exedescription pid process target process PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe PID 5112 wrote to memory of 3572 5112 fuck.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fuck.exe"C:\Users\Admin\AppData\Local\Temp\fuck.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD56808936803a9eb306c723e9702c27aae
SHA10488b94bf33eaf064a0623009052e8c4bf72d256
SHA2563181c8666b3285c2640f33120931a7235c788a496145ee1b7ed47e80f32b7d87
SHA512a9bb5faf3a097264a9c817df9b7b1fa57d4a58843f468802c881d5101946769afb4691363846296ef939cc8d00cddfc8448f20829675bf912ba837a44e1178ea