Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
HeartBreakerContinuum/Superstar_MemberCard.tiff.exe
Resource
win7-20241010-en
General
-
Target
HeartBreakerContinuum/Superstar_MemberCard.tiff.exe
-
Size
40KB
-
MD5
ace3e42d95e5b9d0744763bde9888069
-
SHA1
6236f6f30e1cd180d3f9bd1d48ea4cccdfc2a806
-
SHA256
12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3
-
SHA512
5c17eb87d60794be010e50c8cb62dc72bcfcfae15c5b79d39f1fca769acf82dce8eafe807a9a9bf00c9ecdbd5d7383fca7fa344e76373e22bd6de545501e68e2
-
SSDEEP
768:ZCIFqGveQJUJtVeD3sl/Qq9QSucEQ0xIlBcVpXbOfq19kQa1:ZC4qGveQJ93sl/Qq9QSucEQ0xIlBubOV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WinSCP.exe -
Executes dropped EXE 2 IoCs
pid Process 3376 WinSCP.com 228 WinSCP.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSCP.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSCP.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2164 Superstar_MemberCard.tiff.exe 2164 Superstar_MemberCard.tiff.exe 2164 Superstar_MemberCard.tiff.exe 2164 Superstar_MemberCard.tiff.exe 228 WinSCP.exe 228 WinSCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeIncreaseQuotaPrivilege 2100 WMIC.exe Token: SeSecurityPrivilege 2100 WMIC.exe Token: SeTakeOwnershipPrivilege 2100 WMIC.exe Token: SeLoadDriverPrivilege 2100 WMIC.exe Token: SeSystemProfilePrivilege 2100 WMIC.exe Token: SeSystemtimePrivilege 2100 WMIC.exe Token: SeProfSingleProcessPrivilege 2100 WMIC.exe Token: SeIncBasePriorityPrivilege 2100 WMIC.exe Token: SeCreatePagefilePrivilege 2100 WMIC.exe Token: SeBackupPrivilege 2100 WMIC.exe Token: SeRestorePrivilege 2100 WMIC.exe Token: SeShutdownPrivilege 2100 WMIC.exe Token: SeDebugPrivilege 2100 WMIC.exe Token: SeSystemEnvironmentPrivilege 2100 WMIC.exe Token: SeRemoteShutdownPrivilege 2100 WMIC.exe Token: SeUndockPrivilege 2100 WMIC.exe Token: SeManageVolumePrivilege 2100 WMIC.exe Token: 33 2100 WMIC.exe Token: 34 2100 WMIC.exe Token: 35 2100 WMIC.exe Token: 36 2100 WMIC.exe Token: SeIncreaseQuotaPrivilege 2100 WMIC.exe Token: SeSecurityPrivilege 2100 WMIC.exe Token: SeTakeOwnershipPrivilege 2100 WMIC.exe Token: SeLoadDriverPrivilege 2100 WMIC.exe Token: SeSystemProfilePrivilege 2100 WMIC.exe Token: SeSystemtimePrivilege 2100 WMIC.exe Token: SeProfSingleProcessPrivilege 2100 WMIC.exe Token: SeIncBasePriorityPrivilege 2100 WMIC.exe Token: SeCreatePagefilePrivilege 2100 WMIC.exe Token: SeBackupPrivilege 2100 WMIC.exe Token: SeRestorePrivilege 2100 WMIC.exe Token: SeShutdownPrivilege 2100 WMIC.exe Token: SeDebugPrivilege 2100 WMIC.exe Token: SeSystemEnvironmentPrivilege 2100 WMIC.exe Token: SeRemoteShutdownPrivilege 2100 WMIC.exe Token: SeUndockPrivilege 2100 WMIC.exe Token: SeManageVolumePrivilege 2100 WMIC.exe Token: 33 2100 WMIC.exe Token: 34 2100 WMIC.exe Token: 35 2100 WMIC.exe Token: 36 2100 WMIC.exe Token: SeIncreaseQuotaPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeSecurityPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeTakeOwnershipPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeLoadDriverPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeSystemProfilePrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeSystemtimePrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeProfSingleProcessPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeIncBasePriorityPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeCreatePagefilePrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeBackupPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeRestorePrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeShutdownPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeDebugPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeSystemEnvironmentPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeRemoteShutdownPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeUndockPrivilege 2164 Superstar_MemberCard.tiff.exe Token: SeManageVolumePrivilege 2164 Superstar_MemberCard.tiff.exe Token: 33 2164 Superstar_MemberCard.tiff.exe Token: 34 2164 Superstar_MemberCard.tiff.exe Token: 35 2164 Superstar_MemberCard.tiff.exe Token: 36 2164 Superstar_MemberCard.tiff.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 228 WinSCP.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2164 wrote to memory of 4616 2164 Superstar_MemberCard.tiff.exe 103 PID 2164 wrote to memory of 4616 2164 Superstar_MemberCard.tiff.exe 103 PID 2164 wrote to memory of 2100 2164 Superstar_MemberCard.tiff.exe 106 PID 2164 wrote to memory of 2100 2164 Superstar_MemberCard.tiff.exe 106 PID 2164 wrote to memory of 2924 2164 Superstar_MemberCard.tiff.exe 109 PID 2164 wrote to memory of 2924 2164 Superstar_MemberCard.tiff.exe 109 PID 2164 wrote to memory of 3376 2164 Superstar_MemberCard.tiff.exe 114 PID 2164 wrote to memory of 3376 2164 Superstar_MemberCard.tiff.exe 114 PID 2164 wrote to memory of 3376 2164 Superstar_MemberCard.tiff.exe 114 PID 3376 wrote to memory of 228 3376 WinSCP.com 115 PID 3376 wrote to memory of 228 3376 WinSCP.com 115 PID 3376 wrote to memory of 228 3376 WinSCP.com 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\HeartBreakerContinuum\Superstar_MemberCard.tiff.exe"C:\Users\Admin\AppData\Local\Temp\HeartBreakerContinuum\Superstar_MemberCard.tiff.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\nltest.exe"C:\Windows\system32\nltest.exe" /dsgetdc:KBKWGEBK2⤵PID:4616
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\system32\gpresult.exe"C:\Windows\system32\gpresult.exe" /r2⤵PID:2924
-
-
C:\Users\Public\HelpDesk-Tools\WinSCP.com"C:\Users\Public\HelpDesk-Tools\WinSCP.com" /script="C:\Users\Public\HelpDesk-Tools\maintenanceScript.txt"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Public\HelpDesk-Tools\WinSCP.exe"C:\Users\Public\HelpDesk-Tools\WinSCP.exe" /console=5.15.3 /consoleinstance=_3376_926 "/script=C:\Users\Public\HelpDesk-Tools\maintenanceScript.txt"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:228
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
277KB
MD5f5aabac14be9ee43e22e840b6421938f
SHA1224434759482423b3e3c75e06f6ab3a4fa193a33
SHA256ba7419f0ac2dff1826217faba581af207f61a094144a4ebd381558ba38cc6601
SHA512c22c0f067b7a046686621bd8dedcc66273390000d16f8c684d4a57048a022e021b4276af1dc0688457cab42493feb99cf47a7ddb7a1b7208ca36c1d80dedbe87
-
Filesize
19.0MB
MD588f50928cd5586b72cbf27eeff1190f0
SHA1f55e8fd6bb968df2efc0e415bab0acdab23e580e
SHA256768ece399c75a27aca90313f625016e8e795f737667577d75af0042c896987f7
SHA512929ddd082524dad9bed1e82159648e449e14b69fbce7cdff734e3069203c06653a0173e7f56fb4a36e13aafa99b618f401494043364f0878ae197db5a1264a62
-
Filesize
8KB
MD5774de48627bb06c815714bc75154592c
SHA14b8298f7e005daa00675a8b897eb0278dfb0f9b5
SHA2569332018891592479efb3893e1c4bb248d549a8154e0222b77f8aab82c1f864c5
SHA5125a6c0421a01c616783e9538afe04bb9ca2ecb065393b10aebfd079941e846d0fc4e1abfac5a7b76bb67cc9b177c0966f01fd5d4431965eb8b970aadec41c3bce
-
Filesize
252B
MD5142a8084caf622f3e9b1dbb3d4e83a90
SHA194e02c1c013418876008d5872830962eddccfe31
SHA2565b5fcdf4dc73a96ee0052919ac381f1b02b450bbc94d3f6d8bd5388babd9ba5f
SHA512c29a07f682eb59cfdb74bd77fbbac43b9ab389f63771916613d609f48fe30dd5946ff94c03ea17383af86eeb2dd6f515e7f3eb7714f512f069d736ab0baca6fe