Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
Resource
win10v2004-20240802-en
General
-
Target
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
-
Size
76KB
-
MD5
7a47db5c25aaae2b0772c78f70983681
-
SHA1
d9994e6210e4ba1eaf210a43453143ed8011ef87
-
SHA256
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437
-
SHA512
8c114069e1d207c86a299fcbb3120c1d22e70a9233ab05a9faf5c1dbd15cf293e54241b2a710241791942ee9ee7f46729d8d4f54ba4ac634b54b3ec7c8ddbd32
-
SSDEEP
1536:AdRlBEByBQBFDz+oBLBvOBSBlB+2xq0uEYqLIm08TIVVtDKsh6:QlBEByBQBdz+oBLBGBSBlBRxq09FvfTX
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 icanhazip.com 13 ip-api.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1052 cmd.exe 2652 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Token: SeRestorePrivilege 496 msiexec.exe Token: SeTakeOwnershipPrivilege 496 msiexec.exe Token: SeSecurityPrivilege 496 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1052 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 31 PID 2104 wrote to memory of 1052 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 31 PID 2104 wrote to memory of 1052 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 31 PID 2104 wrote to memory of 1052 2104 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 31 PID 1052 wrote to memory of 2792 1052 cmd.exe 33 PID 1052 wrote to memory of 2792 1052 cmd.exe 33 PID 1052 wrote to memory of 2792 1052 cmd.exe 33 PID 1052 wrote to memory of 2792 1052 cmd.exe 33 PID 1052 wrote to memory of 2652 1052 cmd.exe 34 PID 1052 wrote to memory of 2652 1052 cmd.exe 34 PID 1052 wrote to memory of 2652 1052 cmd.exe 34 PID 1052 wrote to memory of 2652 1052 cmd.exe 34 PID 1052 wrote to memory of 2804 1052 cmd.exe 35 PID 1052 wrote to memory of 2804 1052 cmd.exe 35 PID 1052 wrote to memory of 2804 1052 cmd.exe 35 PID 1052 wrote to memory of 2804 1052 cmd.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe"C:\Users\Admin\AppData\Local\Temp\3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe"1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2652
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:496
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1