Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 01:09
Behavioral task
behavioral1
Sample
38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe
Resource
win10v2004-20240802-en
General
-
Target
38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe
-
Size
274KB
-
MD5
c0feb087f1cfa85fdb001e059f4c95c7
-
SHA1
1d9ab2eb37f85bea36f3e6ded442154181c96964
-
SHA256
38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab
-
SHA512
99d641dcebec431d905b83ea89b5b5fadd5c029215345834b604aeca23d25d236bbbe65c2d3179ad9d7597764d1791d9cfd18b3dc2d463acda6e1e72b6159a50
-
SSDEEP
6144:cf+BLtABPDsth6Ej/UZkI4TjkRy5fafTy4lI1D080T:vtK+I4TjkRyTF1DcT
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1280107935317495880/Q8mmvXU6Bc1Q-R-2e0aAMsbedaMqyt0txCOBc8XSsTRNeUIepUtoX2DE4a6MxP9SzEFB
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 3 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 968 38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe 968 38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe 968 38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe 968 38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 968 38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe"C:\Users\Admin\AppData\Local\Temp\38957fb3708884f1a8befb0c17b0fa81f57005a5de058772cc12bf357c548eab.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
944B
MD5a597ed38411c95e92088a1c9902602d1
SHA16b0429a0bcd6a3e77134b0a64e3e0d3a8d9d0651
SHA256cbb565a2affdf9fdbc3359639f4c64ab803009063b90d17c440fdca3fb7bd86d
SHA512137e3b08df59f9e705fd7aa615b1be71b73ea550dde7553435d8586f3a19d9346690c9e29faafd23a73e671b3ac7491e28a68ab817fd960b1e53c3363489d770
-
Filesize
1KB
MD51d906294491bfb76cdc9cf3f78155863
SHA100c241909cef2f3af8d352572ed9fe8c97de0c01
SHA256691986fc906f9c158be4831c092f4da7f6da14b57c87cafd761b3473e2e90f69
SHA51277def6bc0c3a7e8de4ac3af9de9821b88adfa2e70b8f0078c3638cf9d8c5693f316ea59d7d4fd4c4f7d63df1270285e96daafd47c2c66e35dbd5248cf45f9fb6