Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
eptfydgqkrerhxuq.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eptfydgqkrerhxuq.exe
Resource
win10v2004-20241007-en
General
-
Target
eptfydgqkrerhxuq.exe
-
Size
2.2MB
-
MD5
c1d9f60cd95a73f8e44ea94e3aa7c0a4
-
SHA1
13ea3d0220f3a61b210731ed65e99a86d0757f4c
-
SHA256
a91d9f566a433a99e842f33931932c66b86f8c5b74b4322484e54acaa06a2cff
-
SHA512
b4dc9eacf095f3eb07e08cc782a99009e0be438f24ca79e53d8da727bfec20fbf8050e22382fb9ad44c02d956fb35447fdc5a90da46d18a71d8fa9ebecdf3f50
-
SSDEEP
24576:VnV20g3y1Nu/hZ99HKG354VTH62rtJNxlf/8D9+qNgzQJWDqVT86sSvPi9tuyU:uWohZTKi49Bff/1QQDqrsSiru
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation eptfydgqkrerhxuq.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 eptfydgqkrerhxuq.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 eptfydgqkrerhxuq.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 eptfydgqkrerhxuq.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 eptfydgqkrerhxuq.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 eptfydgqkrerhxuq.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 api.ipify.org 25 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2300 cmd.exe 1424 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1424 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4508 eptfydgqkrerhxuq.exe 4508 eptfydgqkrerhxuq.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4508 eptfydgqkrerhxuq.exe Token: SeImpersonatePrivilege 4508 eptfydgqkrerhxuq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4508 wrote to memory of 2300 4508 eptfydgqkrerhxuq.exe 102 PID 4508 wrote to memory of 2300 4508 eptfydgqkrerhxuq.exe 102 PID 2300 wrote to memory of 1424 2300 cmd.exe 104 PID 2300 wrote to memory of 1424 2300 cmd.exe 104 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 eptfydgqkrerhxuq.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 eptfydgqkrerhxuq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eptfydgqkrerhxuq.exe"C:\Users\Admin\AppData\Local\Temp\eptfydgqkrerhxuq.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\eptfydgqkrerhxuq.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1424
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1