Analysis

  • max time kernel
    117s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/11/2024, 19:44

General

  • Target

    11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe

  • Size

    772KB

  • MD5

    6782ce61039f27f01fb614d3069c7cd0

  • SHA1

    6870c4d274654f7a6d0971579b50dd9dedaa18ad

  • SHA256

    11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d

  • SHA512

    90fc316784eba2e553c2658ac348e6fcb4ab6987209d51e83c1d39d7a784ca0f18729349904bac6d92d3b163ce9f0270369a38eac8c9541ae211d74bce794938

  • SSDEEP

    12288:sWul0YH//9gHthuAileKUHfY3YFosfbVJ:s7x8uhl5UgYFR

Malware Config

Signatures

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
    "C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2380
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3020
        • C:\Windows\system32\netsh.exe
          netsh wlan show profiles
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:3044
        • C:\Windows\system32\findstr.exe
          findstr /R /C:"[ ]:[ ]"
          3⤵
            PID:2592
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:1756
            • C:\Windows\system32\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:2280
            • C:\Windows\system32\findstr.exe
              findstr "SSID BSSID Signal"
              3⤵
                PID:1040

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            98c015d3c960c29cabfaaa6ffa41a354

            SHA1

            a984e2cae25b0897b0b9487d26ed43b01884d87b

            SHA256

            400ae8686b71a63123265353441b2147a7ae22569b7179211b5a2f5ea371bf7e

            SHA512

            fe6793ec6db1a1c3256b0458260b407a500b2c3aad867b0c77dd603c5893407b22c0f4bc429d0e23bdb124414abc688167695149ab987e75664e692ee0b48aa2

          • C:\Users\Admin\AppData\Local\Temp\Cab9F3.tmp

            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          • C:\Users\Admin\AppData\Local\Temp\TarA53.tmp

            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          • memory/2380-0-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

            Filesize

            4KB

          • memory/2380-1-0x00000000009B0000-0x0000000000A78000-memory.dmp

            Filesize

            800KB

          • memory/2380-2-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

            Filesize

            9.9MB

          • memory/2380-3-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

            Filesize

            9.9MB

          • memory/2380-39-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

            Filesize

            4KB

          • memory/2380-40-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

            Filesize

            9.9MB