Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 08:27

General

  • Target

    HeartBreakerContinuum/Superstar_MemberCard.tiff.exe

  • Size

    40KB

  • MD5

    ace3e42d95e5b9d0744763bde9888069

  • SHA1

    6236f6f30e1cd180d3f9bd1d48ea4cccdfc2a806

  • SHA256

    12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3

  • SHA512

    5c17eb87d60794be010e50c8cb62dc72bcfcfae15c5b79d39f1fca769acf82dce8eafe807a9a9bf00c9ecdbd5d7383fca7fa344e76373e22bd6de545501e68e2

  • SSDEEP

    768:ZCIFqGveQJUJtVeD3sl/Qq9QSucEQ0xIlBcVpXbOfq19kQa1:ZC4qGveQJ93sl/Qq9QSucEQ0xIlBubOV

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HeartBreakerContinuum\Superstar_MemberCard.tiff.exe
    "C:\Users\Admin\AppData\Local\Temp\HeartBreakerContinuum\Superstar_MemberCard.tiff.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\system32\nltest.exe
      "C:\Windows\system32\nltest.exe" /dsgetdc:KBKWGEBK
      2⤵
        PID:4616
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
      • C:\Windows\system32\gpresult.exe
        "C:\Windows\system32\gpresult.exe" /r
        2⤵
          PID:2924
        • C:\Users\Public\HelpDesk-Tools\WinSCP.com
          "C:\Users\Public\HelpDesk-Tools\WinSCP.com" /script="C:\Users\Public\HelpDesk-Tools\maintenanceScript.txt"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3376
          • C:\Users\Public\HelpDesk-Tools\WinSCP.exe
            "C:\Users\Public\HelpDesk-Tools\WinSCP.exe" /console=5.15.3 /consoleinstance=_3376_926 "/script=C:\Users\Public\HelpDesk-Tools\maintenanceScript.txt"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:228

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqqlmhzg.t5g.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Public\HelpDesk-Tools\WinSCP.com

              Filesize

              277KB

              MD5

              f5aabac14be9ee43e22e840b6421938f

              SHA1

              224434759482423b3e3c75e06f6ab3a4fa193a33

              SHA256

              ba7419f0ac2dff1826217faba581af207f61a094144a4ebd381558ba38cc6601

              SHA512

              c22c0f067b7a046686621bd8dedcc66273390000d16f8c684d4a57048a022e021b4276af1dc0688457cab42493feb99cf47a7ddb7a1b7208ca36c1d80dedbe87

            • C:\Users\Public\HelpDesk-Tools\WinSCP.exe

              Filesize

              19.0MB

              MD5

              88f50928cd5586b72cbf27eeff1190f0

              SHA1

              f55e8fd6bb968df2efc0e415bab0acdab23e580e

              SHA256

              768ece399c75a27aca90313f625016e8e795f737667577d75af0042c896987f7

              SHA512

              929ddd082524dad9bed1e82159648e449e14b69fbce7cdff734e3069203c06653a0173e7f56fb4a36e13aafa99b618f401494043364f0878ae197db5a1264a62

            • C:\Users\Public\HelpDesk-Tools\WinSCP.ini

              Filesize

              8KB

              MD5

              774de48627bb06c815714bc75154592c

              SHA1

              4b8298f7e005daa00675a8b897eb0278dfb0f9b5

              SHA256

              9332018891592479efb3893e1c4bb248d549a8154e0222b77f8aab82c1f864c5

              SHA512

              5a6c0421a01c616783e9538afe04bb9ca2ecb065393b10aebfd079941e846d0fc4e1abfac5a7b76bb67cc9b177c0966f01fd5d4431965eb8b970aadec41c3bce

            • C:\Users\Public\HelpDesk-Tools\maintenanceScript.txt

              Filesize

              252B

              MD5

              142a8084caf622f3e9b1dbb3d4e83a90

              SHA1

              94e02c1c013418876008d5872830962eddccfe31

              SHA256

              5b5fcdf4dc73a96ee0052919ac381f1b02b450bbc94d3f6d8bd5388babd9ba5f

              SHA512

              c29a07f682eb59cfdb74bd77fbbac43b9ab389f63771916613d609f48fe30dd5946ff94c03ea17383af86eeb2dd6f515e7f3eb7714f512f069d736ab0baca6fe

            • memory/228-88-0x00000000005E0000-0x000000000197F000-memory.dmp

              Filesize

              19.6MB

            • memory/228-82-0x00000000005E0000-0x000000000197F000-memory.dmp

              Filesize

              19.6MB

            • memory/228-74-0x00000000005E0000-0x000000000197F000-memory.dmp

              Filesize

              19.6MB

            • memory/2164-57-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

              Filesize

              10.8MB

            • memory/2164-36-0x000000001CCF0000-0x000000001CCFA000-memory.dmp

              Filesize

              40KB

            • memory/2164-0-0x00007FFB25BC3000-0x00007FFB25BC5000-memory.dmp

              Filesize

              8KB

            • memory/2164-35-0x000000001D740000-0x000000001D752000-memory.dmp

              Filesize

              72KB

            • memory/2164-32-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

              Filesize

              10.8MB

            • memory/2164-14-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

              Filesize

              10.8MB

            • memory/2164-13-0x00007FFB25BC3000-0x00007FFB25BC5000-memory.dmp

              Filesize

              8KB

            • memory/2164-12-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

              Filesize

              10.8MB

            • memory/2164-11-0x0000000001560000-0x0000000001582000-memory.dmp

              Filesize

              136KB

            • memory/2164-1-0x0000000000C30000-0x0000000000C40000-memory.dmp

              Filesize

              64KB

            • memory/2164-140-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

              Filesize

              10.8MB

            • memory/3376-81-0x00000000001E0000-0x000000000022D000-memory.dmp

              Filesize

              308KB

            • memory/3376-89-0x00000000001E0000-0x000000000022D000-memory.dmp

              Filesize

              308KB