Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 19:46
Static task
static1
Behavioral task
behavioral1
Sample
041ab886cac2a8e2b79fc486390d5510N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
041ab886cac2a8e2b79fc486390d5510N.exe
Resource
win10v2004-20240802-en
General
-
Target
041ab886cac2a8e2b79fc486390d5510N.exe
-
Size
480KB
-
MD5
041ab886cac2a8e2b79fc486390d5510
-
SHA1
30625cd6be8c5c2603cae540034948aa71022d97
-
SHA256
4f179bb1925c0adf5cb44697a3f0986bd17bc65de686084641ef22c0a75b0a28
-
SHA512
7aa4a6dc2c168c9b8de6ddc4f14f632f6d42017f46acc6dbb23b12969c03d9d17def89f062b4a37354691e06f227f4f4d95ef0c2f87b3b798bf58836ae10e6e4
-
SSDEEP
12288:U+En/eRuTRgPZOZUtRJbZTzPk99GstRUvo9PR0KZYEDop5k5q70zlDbjflq54GaT:ejTREtRJb9TT
Malware Config
Extracted
xehook
2.1.5 Stable
https://t.me/+w897k5UK_jIyNDgy
-
id
301
-
token
xehook301447049203312
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
Processes:
041ab886cac2a8e2b79fc486390d5510N.exepid Process 232 041ab886cac2a8e2b79fc486390d5510N.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
041ab886cac2a8e2b79fc486390d5510N.exedescription pid Process procid_target PID 232 set thread context of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
041ab886cac2a8e2b79fc486390d5510N.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 041ab886cac2a8e2b79fc486390d5510N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 2620 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
041ab886cac2a8e2b79fc486390d5510N.exedescription pid Process procid_target PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86 PID 232 wrote to memory of 2620 232 041ab886cac2a8e2b79fc486390d5510N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\041ab886cac2a8e2b79fc486390d5510N.exe"C:\Users\Admin\AppData\Local\Temp\041ab886cac2a8e2b79fc486390d5510N.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD56808936803a9eb306c723e9702c27aae
SHA10488b94bf33eaf064a0623009052e8c4bf72d256
SHA2563181c8666b3285c2640f33120931a7235c788a496145ee1b7ed47e80f32b7d87
SHA512a9bb5faf3a097264a9c817df9b7b1fa57d4a58843f468802c881d5101946769afb4691363846296ef939cc8d00cddfc8448f20829675bf912ba837a44e1178ea