Analysis
-
max time kernel
122s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 07:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
308KB
-
MD5
d5b8ac0d80c99e7dda0d9df17c159f3d
-
SHA1
ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a
-
SHA256
c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78
-
SHA512
2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc
-
SSDEEP
6144:+MW2MDA5DDzwLLoMC9YsbxE0UyRtXpJldoopDIrhi7m:EREZELLoMeYkxEgJzTp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2336 build.exe -
Loads dropped DLL 1 IoCs
pid Process 1668 file.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2572 cmd.exe 2208 netsh.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2336 build.exe 2336 build.exe 2336 build.exe 2336 build.exe 2336 build.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2336 build.exe Token: SeCreateTokenPrivilege 2336 build.exe Token: SeAssignPrimaryTokenPrivilege 2336 build.exe Token: SeIncreaseQuotaPrivilege 2336 build.exe Token: SeSecurityPrivilege 2336 build.exe Token: SeTakeOwnershipPrivilege 2336 build.exe Token: SeLoadDriverPrivilege 2336 build.exe Token: SeSystemtimePrivilege 2336 build.exe Token: SeBackupPrivilege 2336 build.exe Token: SeRestorePrivilege 2336 build.exe Token: SeShutdownPrivilege 2336 build.exe Token: SeSystemEnvironmentPrivilege 2336 build.exe Token: SeUndockPrivilege 2336 build.exe Token: SeManageVolumePrivilege 2336 build.exe Token: 31 2336 build.exe Token: 32 2336 build.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2336 1668 file.exe 31 PID 1668 wrote to memory of 2336 1668 file.exe 31 PID 1668 wrote to memory of 2336 1668 file.exe 31 PID 1668 wrote to memory of 2336 1668 file.exe 31 PID 2336 wrote to memory of 2572 2336 build.exe 32 PID 2336 wrote to memory of 2572 2336 build.exe 32 PID 2336 wrote to memory of 2572 2336 build.exe 32 PID 2572 wrote to memory of 2836 2572 cmd.exe 34 PID 2572 wrote to memory of 2836 2572 cmd.exe 34 PID 2572 wrote to memory of 2836 2572 cmd.exe 34 PID 2572 wrote to memory of 2208 2572 cmd.exe 35 PID 2572 wrote to memory of 2208 2572 cmd.exe 35 PID 2572 wrote to memory of 2208 2572 cmd.exe 35 PID 2572 wrote to memory of 3020 2572 cmd.exe 36 PID 2572 wrote to memory of 3020 2572 cmd.exe 36 PID 2572 wrote to memory of 3020 2572 cmd.exe 36 PID 2336 wrote to memory of 2756 2336 build.exe 37 PID 2336 wrote to memory of 2756 2336 build.exe 37 PID 2336 wrote to memory of 2756 2336 build.exe 37 PID 2756 wrote to memory of 2616 2756 cmd.exe 39 PID 2756 wrote to memory of 2616 2756 cmd.exe 39 PID 2756 wrote to memory of 2616 2756 cmd.exe 39 PID 2756 wrote to memory of 2656 2756 cmd.exe 40 PID 2756 wrote to memory of 2656 2756 cmd.exe 40 PID 2756 wrote to memory of 2656 2756 cmd.exe 40 PID 2756 wrote to memory of 280 2756 cmd.exe 41 PID 2756 wrote to memory of 280 2756 cmd.exe 41 PID 2756 wrote to memory of 280 2756 cmd.exe 41 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2336 -
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2836
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2208
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"4⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2616
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2656
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"4⤵PID:280
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5ecc94919c7d1385d489961b21af97328
SHA182f01aac4fdeb34ec23900d73b64beb01ea5a843
SHA256f47224fc9bd939839623ac7eb8f86d735d0dcd8ba7b2c256125850efd6401059
SHA51287213dfdd9901788de45572630d766739c3fa262624f3c891620d0624b1d32d908f529859ae106ed1e0b7d203c0a986db1198e226c2cf0e6070837d40ec13190