Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe
Resource
win7-20241010-en
General
-
Target
2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe
-
Size
534KB
-
MD5
c7b31963cca4a548cc919ecfc510bd10
-
SHA1
aab26f8ff33b0947a753e5fd8a9152490ec044a9
-
SHA256
2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52
-
SHA512
046c9f5d1e7f5f6fd7d6f7432f9e8ada5d4d386e56807e7dfc4e24696203e18e250325bbe8a26b8e5e8be6f64005c37b3116be8f6d232582d422d81ba2e28568
-
SSDEEP
12288:l3ULO2IiS/hqd9dc4bTKim2XPw42adZdJ6JeU7YIkwgrLhefhVMa6pf5lUdgIsu2:NsO2m/Id9i4bTKim2XPw42adZdJ6QU7W
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files\StopOpen.exe 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2864 2876 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2876 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2864 2876 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe 30 PID 2876 wrote to memory of 2864 2876 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe 30 PID 2876 wrote to memory of 2864 2876 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe 30 PID 2876 wrote to memory of 2864 2876 2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe"C:\Users\Admin\AppData\Local\Temp\2e1f53041c3b39e9d11eb80184208c2b604687c2e017055fe911e3e05bcaec52N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1602⤵
- Program crash
PID:2864
-