Analysis
-
max time kernel
117s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 19:44
Static task
static1
Behavioral task
behavioral1
Sample
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
Resource
win10v2004-20241007-en
General
-
Target
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
-
Size
772KB
-
MD5
6782ce61039f27f01fb614d3069c7cd0
-
SHA1
6870c4d274654f7a6d0971579b50dd9dedaa18ad
-
SHA256
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d
-
SHA512
90fc316784eba2e553c2658ac348e6fcb4ab6987209d51e83c1d39d7a784ca0f18729349904bac6d92d3b163ce9f0270369a38eac8c9541ae211d74bce794938
-
SSDEEP
12288:sWul0YH//9gHthuAileKUHfY3YFosfbVJ:s7x8uhl5UgYFR
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 576 cmd.exe 3044 netsh.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2380 wrote to memory of 576 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 30 PID 2380 wrote to memory of 576 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 30 PID 2380 wrote to memory of 576 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 30 PID 576 wrote to memory of 3020 576 cmd.exe 32 PID 576 wrote to memory of 3020 576 cmd.exe 32 PID 576 wrote to memory of 3020 576 cmd.exe 32 PID 576 wrote to memory of 3044 576 cmd.exe 33 PID 576 wrote to memory of 3044 576 cmd.exe 33 PID 576 wrote to memory of 3044 576 cmd.exe 33 PID 576 wrote to memory of 2592 576 cmd.exe 34 PID 576 wrote to memory of 2592 576 cmd.exe 34 PID 576 wrote to memory of 2592 576 cmd.exe 34 PID 2380 wrote to memory of 2828 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 35 PID 2380 wrote to memory of 2828 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 35 PID 2380 wrote to memory of 2828 2380 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 35 PID 2828 wrote to memory of 1756 2828 cmd.exe 37 PID 2828 wrote to memory of 1756 2828 cmd.exe 37 PID 2828 wrote to memory of 1756 2828 cmd.exe 37 PID 2828 wrote to memory of 2280 2828 cmd.exe 38 PID 2828 wrote to memory of 2280 2828 cmd.exe 38 PID 2828 wrote to memory of 2280 2828 cmd.exe 38 PID 2828 wrote to memory of 1040 2828 cmd.exe 39 PID 2828 wrote to memory of 1040 2828 cmd.exe 39 PID 2828 wrote to memory of 1040 2828 cmd.exe 39 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"1⤵
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2380 -
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3020
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3044
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1756
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2280
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"3⤵PID:1040
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598c015d3c960c29cabfaaa6ffa41a354
SHA1a984e2cae25b0897b0b9487d26ed43b01884d87b
SHA256400ae8686b71a63123265353441b2147a7ae22569b7179211b5a2f5ea371bf7e
SHA512fe6793ec6db1a1c3256b0458260b407a500b2c3aad867b0c77dd603c5893407b22c0f4bc429d0e23bdb124414abc688167695149ab987e75664e692ee0b48aa2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b