Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 19:38
Behavioral task
behavioral1
Sample
LOLO.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
LOLO.exe
-
Size
303KB
-
MD5
087e4fc1f01e0f295ac3873ad541bf56
-
SHA1
17024ebb6f8135439a491618748ea2bf482d4b9c
-
SHA256
2c36cc0292ba8775d195d6dc9df68f45e97ba9bc2f4a35a600edb6072a46e010
-
SHA512
04d6605dd89fef1f715454610443a4212b6ea2d8ebad9041fcdad151a7f73277758573827072eccbf34470c8528c57c359593df98d161c498e7807e2938b080e
-
SSDEEP
6144:/Xt3T6MDdbICydeBimcmXKhJUPw6kmA1D0Dxp:/XttpcmXKnUo31D+p
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/1296484026433146951/82aR0Nt59Eb92ax2wMZUmGit_E6YL5mUsg5RulT8ws8SXcVkvKauDGcyXREEovQ9v_F5
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2324 LOLO.exe 2324 LOLO.exe 2324 LOLO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2324 LOLO.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2748 2324 LOLO.exe 31 PID 2324 wrote to memory of 2748 2324 LOLO.exe 31 PID 2324 wrote to memory of 2748 2324 LOLO.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\LOLO.exe"C:\Users\Admin\AppData\Local\Temp\LOLO.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2324 -s 10322⤵PID:2748
-