Analysis
-
max time kernel
94s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
Resource
win10v2004-20240802-en
General
-
Target
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
-
Size
76KB
-
MD5
7a47db5c25aaae2b0772c78f70983681
-
SHA1
d9994e6210e4ba1eaf210a43453143ed8011ef87
-
SHA256
3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437
-
SHA512
8c114069e1d207c86a299fcbb3120c1d22e70a9233ab05a9faf5c1dbd15cf293e54241b2a710241791942ee9ee7f46729d8d4f54ba4ac634b54b3ec7c8ddbd32
-
SSDEEP
1536:AdRlBEByBQBFDz+oBLBvOBSBlB+2xq0uEYqLIm08TIVVtDKsh6:QlBEByBQBdz+oBLBGBSBlBRxq09FvfTX
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 icanhazip.com 32 ip-api.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3168 cmd.exe 1960 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3956 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 3956 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 3956 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3956 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe Token: SeSecurityPrivilege 208 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3956 wrote to memory of 3168 3956 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 87 PID 3956 wrote to memory of 3168 3956 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 87 PID 3956 wrote to memory of 3168 3956 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe 87 PID 3168 wrote to memory of 2004 3168 cmd.exe 90 PID 3168 wrote to memory of 2004 3168 cmd.exe 90 PID 3168 wrote to memory of 2004 3168 cmd.exe 90 PID 3168 wrote to memory of 1960 3168 cmd.exe 91 PID 3168 wrote to memory of 1960 3168 cmd.exe 91 PID 3168 wrote to memory of 1960 3168 cmd.exe 91 PID 3168 wrote to memory of 2216 3168 cmd.exe 92 PID 3168 wrote to memory of 2216 3168 cmd.exe 92 PID 3168 wrote to memory of 2216 3168 cmd.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe"C:\Users\Admin\AppData\Local\Temp\3d6066fa56bb2fc7775123fc717744b49f7d48ad2b44349d1d42d5048356e437.exe"1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3956 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:2004
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1960
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:208
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1