Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 21:04
Behavioral task
behavioral1
Sample
123.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
123.exe
Resource
win10v2004-20240802-en
General
-
Target
123.exe
-
Size
8.2MB
-
MD5
f675e62581b09ecb840416233c8460bc
-
SHA1
b7a42ed4a3f13d13905d910f02147d8bdc040b2b
-
SHA256
b4fed30b7d5c533ae1a553607630badbdc10aeacb612ff996e919d014bc2313c
-
SHA512
3bebe82737757c606356cab8877aa7ece5304f7eebbff1695bc4f20502e981d9ce4551ad3492f7c5580bd06d94cd63cd70a8706d24e73ae52e55e38f0f9b9a8a
-
SSDEEP
196608:ZEI9eJx7jQ/b7NuD4VuRS79tcM6vJKjJQQcrgUEr0NFMx3BWhp6D:ZEI9eXQ/b7NuD4VuRS79tczvJJQcrPEL
Malware Config
Extracted
stealc
benjiworld9
http://5.188.86.71
-
url_path
/05feb00efef399f8.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 3 IoCs
resource yara_rule behavioral1/memory/276-3-0x0000000000400000-0x0000000000C48000-memory.dmp family_hijackloader behavioral1/memory/276-2-0x0000000000400000-0x0000000000C48000-memory.dmp family_hijackloader behavioral1/memory/276-6-0x0000000000400000-0x0000000000C48000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Deletes itself 1 IoCs
pid Process 2052 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 276 set thread context of 2052 276 123.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 276 123.exe 276 123.exe 276 123.exe 276 123.exe 2052 cmd.exe 2052 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 276 123.exe 2052 cmd.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 276 wrote to memory of 2052 276 123.exe 31 PID 276 wrote to memory of 2052 276 123.exe 31 PID 276 wrote to memory of 2052 276 123.exe 31 PID 276 wrote to memory of 2052 276 123.exe 31 PID 276 wrote to memory of 2052 276 123.exe 31 PID 2052 wrote to memory of 2824 2052 cmd.exe 33 PID 2052 wrote to memory of 2824 2052 cmd.exe 33 PID 2052 wrote to memory of 2824 2052 cmd.exe 33 PID 2052 wrote to memory of 2824 2052 cmd.exe 33 PID 2052 wrote to memory of 2824 2052 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
909KB
MD586c7f9c12fada37f33f67936fd0f85f7
SHA1d9c96e819fb73f83e9b399bfd4ff7cb11c673248
SHA2564f75559116040c39f18e9e5319eb75ebe0c0122745557a10a29cfe95c6779e5c
SHA51254c63f777a7c6992ea91f94541740ecb3fed9c60b26f970c69047fb1eeaec0f4c96c856c827cac8d52c221aebb3595abcf65390b8a740ad46548137ce12684d0