Analysis
-
max time kernel
145s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe
Resource
win10v2004-20241007-en
General
-
Target
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe
-
Size
229KB
-
MD5
3d70a1184d7194dc0bed6dc4ecc80348
-
SHA1
8691090e023f61cecb33803d55f3dd012bf974e2
-
SHA256
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208
-
SHA512
ac0c50e0ef410185ea285297e540328e5d892c43c6066eb2cf805825eac36c405b9dee8d0620774f0abd8f02cee3be68fa5062ecbb50d84efbafb4ece3e6084e
-
SSDEEP
6144:YKRHGdv+l83h6bwlv9zOShvTzuuC++gY5Pjh7iM8avlt:Lmd5xWwlvYStTLC++gY5Pjh7iM8avl
Malware Config
Extracted
xehook
2.1.5 Stable
https://t.me/+w897k5UK_jIyNDgy
-
id
364
-
token
xehook364240207519384
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exepid Process 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exedescription pid Process procid_target PID 3428 set thread context of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 4532 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exedescription pid Process procid_target PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86 PID 3428 wrote to memory of 4532 3428 97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe"C:\Users\Admin\AppData\Local\Temp\97178f14cedd268cb8f57a8405b50c5715832050502abc75e5a94e6423ad8208.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
345KB
MD59a842e9f0e4ffe3817e2030f72c4e363
SHA1edaf84062b802965e353b72564dee04f60bd2fa1
SHA25622a580812db7c7d4a033bcd343119472d756fabd6a2aa9106707d35247a293ce
SHA512d88f21b15433bc5e0eecb25b34cecf3a79f6972298a33c7e6ce890e9cd1fc2529e3d5aeb373bb8edb22ed2481870404ee2fbfa78e6b0086d40cf746f07c56f83