Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 19:42
Static task
static1
Behavioral task
behavioral1
Sample
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe
Resource
win10v2004-20240802-en
General
-
Target
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe
-
Size
368KB
-
MD5
f258b2b6ffa6756d5f445b1b62685142
-
SHA1
0c8de6923e6481bd63052539f296dc3b16038a85
-
SHA256
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410
-
SHA512
2a3822658e7a40b5f311066a7d687896eaa4cbea5b5469482bd86201b803bb6008af1a8b09fc50cd178e18b0a6e793540d3afdd0c9ef35e0f4ca2509db254a78
-
SSDEEP
6144:Ex2oxysMCtUkokSjQhmocTA5QeT4j2tm9o3pXlBVB4wmhA5MKsEB62z:ExPoB0z5Qm4+XlBVB4wmhA5MKsEB62
Malware Config
Extracted
xehook
2.1.5 Stable
https://t.me/+w897k5UK_jIyNDgy
-
id
185
-
token
xehook185936398232728
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exepid Process 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exedescription pid Process procid_target PID 3068 set thread context of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 4848 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exedescription pid Process procid_target PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85 PID 3068 wrote to memory of 4848 3068 3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe"C:\Users\Admin\AppData\Local\Temp\3a418c405775b28492716a0522b4a327b31ed31697109031c4bc3b1222fe1410.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD52144bb21dc2b6e249c1675491b460b3a
SHA144c677eac532eff35258c5891303592168aba822
SHA256a34b2bc8a33eca8bfbb35e62558f2d1cda6cef50dc3e0894b62339d53225d495
SHA5127b8fcc13bfa2ad80954b97b930c61f866ce31b6b90bc0032acb65d42d4124e2bec98791763e6d532fdb281728a8de49d65ddb74b3983a3328848b00b0225c605