Analysis
-
max time kernel
91s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 00:31
Static task
static1
Behavioral task
behavioral1
Sample
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe
Resource
win10v2004-20241007-en
General
-
Target
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe
-
Size
580KB
-
MD5
618cde762459c080282d9074bdf7f6f8
-
SHA1
b4a1fa65153e4ecbe505d6e16fee69e51cd0c58c
-
SHA256
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952
-
SHA512
0edc45b0b6b4ce06bdd603470c2fe70f5b7493957fa74d1c2bf5802d8f4dd377842d1d73ae686c608165f470434bf894538f7ef422faa0c897d948282df07b81
-
SSDEEP
12288:2aNNTd2p3eZmbtueoiM4TGzqSB3VuVbfrJ/79gUkvjM5a5HGmgZq6:2eTd2pwmbQ9ibWFanavsaxGxk6
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6778517563:AAHWX9Uu5kbGG8tbi2AVnm_iK8s3bKlnB3M/sendDocumen
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4812 powershell.exe 2344 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
pid Process 5060 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\file = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D5BF.tmp\\file.exe" file.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\shell file.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\shell\open file.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\shell\open\command\ file.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings\shell\open\command file.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ms-settings file.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2344 powershell.exe 4812 powershell.exe 4812 powershell.exe 2344 powershell.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe 5060 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5060 file.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2892 wrote to memory of 1748 2892 ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe 87 PID 2892 wrote to memory of 1748 2892 ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe 87 PID 1748 wrote to memory of 5060 1748 wscript.exe 90 PID 1748 wrote to memory of 5060 1748 wscript.exe 90 PID 5060 wrote to memory of 4000 5060 file.exe 91 PID 5060 wrote to memory of 4000 5060 file.exe 91 PID 5060 wrote to memory of 4668 5060 file.exe 93 PID 5060 wrote to memory of 4668 5060 file.exe 93 PID 4000 wrote to memory of 4812 4000 cmd.exe 95 PID 4000 wrote to memory of 4812 4000 cmd.exe 95 PID 4668 wrote to memory of 2344 4668 cmd.exe 96 PID 4668 wrote to memory of 2344 4668 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe"C:\Users\Admin\AppData\Local\Temp\ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\D5C0.tmp\D5C1.vbs //Nologo2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe"C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3500
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
993KB
MD55a868260808a671876a72a2bcbe51330
SHA109bdee7ba0a95ccb489c2af57abde901a9a18a69
SHA256423ec3c214f5ce0db6b53c254f480aeee4eb4691404f77405fbb54617d2c047f
SHA512e00f2fee3927a9ef4bd1dec4d480c64bd338ee6bb42ce3c7869962b60ff4052a5dfa9e9fa25c6b6c18ef52cbc7a25c95b7dc868ff80f0873f495cd99b7ea37f6
-
Filesize
136KB
MD5bab3cb62cebe3a18436fa8a60bc32754
SHA198fca3544509c24d7647f2aca85e021774a93663
SHA2569a2251cd0659f32759f589124a0aec75a046d3137fcb3138dacd87c087d38768
SHA51271805cb421dba13f1869382507f1ac1c1fdf0017ed65512430ca65fc711721bcf1c5eb0743a3d846e35fa8c10fd547a329b08539eff68aabff81fdec773be703
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82