add7e0536d612cc4022407c06ecd8b66ab4c826aaa454cc76f5845241e8c7602

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 18:18

Target

creditcard.exe
Size

1.2MB
MD5

b467cf8ca0c4a745c53f4bd42edd79a7
SHA1

762bbadff23c875ebcea557a93c55b45624d5171
SHA256

b056dd707d21bd57b256767dc3e13cd8c824cf059ca70f13e2cda9f96b101012
SHA512

d78a471eeac8f1ceae0b7b727c17d575f49f29eff62546b6f9808cdd9e4926a395bf74973156f2cdf4bc1a10d5adc6c5170e1b6caf0556cb673f31a34466d1f8
SSDEEP

24576:CKRjZgSemwfAtN+qKCpx9Pm7oKh85Luo/AehkSmDuBfUh0lhSMXlwGS:CAgSemw8N+qKC1eX25LuoJh10uXb

Score

7^/10

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	creditcard.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

Email Collection

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	creditcard.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	creditcard.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	creditcard.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	creditcard.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	creditcard.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
5	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2716	creditcard.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	creditcard.exe
Token: SeImpersonatePrivilege	2716	creditcard.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	creditcard.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	creditcard.exe