Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe
Resource
win10v2004-20241007-en
General
-
Target
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe
-
Size
580KB
-
MD5
618cde762459c080282d9074bdf7f6f8
-
SHA1
b4a1fa65153e4ecbe505d6e16fee69e51cd0c58c
-
SHA256
ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952
-
SHA512
0edc45b0b6b4ce06bdd603470c2fe70f5b7493957fa74d1c2bf5802d8f4dd377842d1d73ae686c608165f470434bf894538f7ef422faa0c897d948282df07b81
-
SSDEEP
12288:2aNNTd2p3eZmbtueoiM4TGzqSB3VuVbfrJ/79gUkvjM5a5HGmgZq6:2eTd2pwmbQ9ibWFanavsaxGxk6
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6778517563:AAHWX9Uu5kbGG8tbi2AVnm_iK8s3bKlnB3M/sendDocumen
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2356 powershell.exe 2624 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
pid Process 1736 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\file = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B258.tmp\\file.exe" file.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings file.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell file.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open file.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command\ file.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command file.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2624 powershell.exe 2356 powershell.exe 2356 powershell.exe 2624 powershell.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe 1736 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1736 file.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4468 wrote to memory of 3104 4468 ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe 85 PID 4468 wrote to memory of 3104 4468 ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe 85 PID 3104 wrote to memory of 1736 3104 wscript.exe 88 PID 3104 wrote to memory of 1736 3104 wscript.exe 88 PID 1736 wrote to memory of 3348 1736 file.exe 89 PID 1736 wrote to memory of 3348 1736 file.exe 89 PID 1736 wrote to memory of 1888 1736 file.exe 91 PID 1736 wrote to memory of 1888 1736 file.exe 91 PID 3348 wrote to memory of 2356 3348 cmd.exe 93 PID 3348 wrote to memory of 2356 3348 cmd.exe 93 PID 1888 wrote to memory of 2624 1888 cmd.exe 94 PID 1888 wrote to memory of 2624 1888 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe"C:\Users\Admin\AppData\Local\Temp\ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B258.tmp\B259.tmp\B25A.vbs //Nologo2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\B258.tmp\file.exe"C:\Users\Admin\AppData\Local\Temp\B258.tmp\file.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\B258.tmp\file.exe & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\B258.tmp\file.exe5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3568
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
993KB
MD55a868260808a671876a72a2bcbe51330
SHA109bdee7ba0a95ccb489c2af57abde901a9a18a69
SHA256423ec3c214f5ce0db6b53c254f480aeee4eb4691404f77405fbb54617d2c047f
SHA512e00f2fee3927a9ef4bd1dec4d480c64bd338ee6bb42ce3c7869962b60ff4052a5dfa9e9fa25c6b6c18ef52cbc7a25c95b7dc868ff80f0873f495cd99b7ea37f6
-
Filesize
136KB
MD5bab3cb62cebe3a18436fa8a60bc32754
SHA198fca3544509c24d7647f2aca85e021774a93663
SHA2569a2251cd0659f32759f589124a0aec75a046d3137fcb3138dacd87c087d38768
SHA51271805cb421dba13f1869382507f1ac1c1fdf0017ed65512430ca65fc711721bcf1c5eb0743a3d846e35fa8c10fd547a329b08539eff68aabff81fdec773be703
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82