Analysis
-
max time kernel
37s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 16:58
Behavioral task
behavioral1
Sample
WoksiMeneg.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WoksiMeneg.exe
Resource
win10v2004-20240802-en
General
-
Target
WoksiMeneg.exe
-
Size
303KB
-
MD5
ee725ca0f25f388656a01de2d5f222b8
-
SHA1
d67fd88ffc308db1b7f2d60ce9299191cdfdcf48
-
SHA256
638d64d65efd9ad2661bb6f33677689fc17a8b370751e7bb8ae255bc0ebba282
-
SHA512
18f3de4ffdebd550bbb40547138da3f2ad905a35bb6af3d4e862de157cd9e090218cd4b1407c69a451e8ad18afa248220e8e5aa70623cd53ff01e9148f55c504
-
SSDEEP
6144:w1E0T6MDdbICydeB1MnyCvG/9GzC6LmA1D0XoO:w1z6yCvGFG+w1DPO
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1282656223682105405/fZzk0Hd_vZyiyOmXb8Q0ODSwm2YlkGtfF7H4LgbvREcWNQZksDAPfCAcrAdCpAx0oVA1
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 freegeoip.app 4 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3248 WoksiMeneg.exe 3248 WoksiMeneg.exe 3248 WoksiMeneg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3248 WoksiMeneg.exe