Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 19:44
Static task
static1
Behavioral task
behavioral1
Sample
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
Resource
win10v2004-20241007-en
General
-
Target
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
-
Size
772KB
-
MD5
6782ce61039f27f01fb614d3069c7cd0
-
SHA1
6870c4d274654f7a6d0971579b50dd9dedaa18ad
-
SHA256
11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d
-
SHA512
90fc316784eba2e553c2658ac348e6fcb4ab6987209d51e83c1d39d7a784ca0f18729349904bac6d92d3b163ce9f0270369a38eac8c9541ae211d74bce794938
-
SSDEEP
12288:sWul0YH//9gHthuAileKUHfY3YFosfbVJ:s7x8uhl5UgYFR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Executes dropped EXE 1 IoCs
pid Process 3928 tor-real.exe -
Loads dropped DLL 9 IoCs
pid Process 3928 tor-real.exe 3928 tor-real.exe 3928 tor-real.exe 3928 tor-real.exe 3928 tor-real.exe 3928 tor-real.exe 3928 tor-real.exe 3928 tor-real.exe 3928 tor-real.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tor-real.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 5044 cmd.exe 840 netsh.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 752 wrote to memory of 3928 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 90 PID 752 wrote to memory of 3928 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 90 PID 752 wrote to memory of 3928 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 90 PID 752 wrote to memory of 5044 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 95 PID 752 wrote to memory of 5044 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 95 PID 5044 wrote to memory of 3988 5044 cmd.exe 97 PID 5044 wrote to memory of 3988 5044 cmd.exe 97 PID 5044 wrote to memory of 840 5044 cmd.exe 98 PID 5044 wrote to memory of 840 5044 cmd.exe 98 PID 5044 wrote to memory of 692 5044 cmd.exe 99 PID 5044 wrote to memory of 692 5044 cmd.exe 99 PID 752 wrote to memory of 1016 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 100 PID 752 wrote to memory of 1016 752 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe 100 PID 1016 wrote to memory of 3284 1016 cmd.exe 102 PID 1016 wrote to memory of 3284 1016 cmd.exe 102 PID 1016 wrote to memory of 404 1016 cmd.exe 103 PID 1016 wrote to memory of 404 1016 cmd.exe 103 PID 1016 wrote to memory of 4472 1016 cmd.exe 104 PID 1016 wrote to memory of 4472 1016 cmd.exe 104 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"C:\Users\Admin\AppData\Local\Temp\11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:752 -
C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe"C:\Users\Admin\AppData\Local\dp3s81isgn\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\dp3s81isgn\tor\torrc.txt"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3928
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3988
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:840
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"3⤵PID:692
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3284
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:404
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"3⤵PID:4472
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5dac4c15a1e66c0588ccfeb3cb4f21725
SHA1cfa28f79b0e1cbb0f23925d68610628cd33e5ea0
SHA2569521221a71778d25fec446584d3093ac9bc0851cfab0d9e7b3b7facaf0b3a148
SHA5123d8935230f63ba9eaf3608c1c62f4bf3978180352080dcdc13c75622294ed9f86933dedf7c2cd9b91419f99e9f86eccac98d8fef961bc85b7bc77fc04c6e8bbb
-
Filesize
5.6MB
MD5a45aaf7a1d1006ac3a02da4b50c12194
SHA168cba3e318d9ecc4cb996c920e391acc3aa59fea
SHA2567612b2a5e7798a7d17f0d130ad5b08e87650af20a7d88c1d6d2ba71f7d4a0581
SHA5125e3070667369a1018ccaa7cffa2a673f43ea6fdddd8ae292bd10a85bb4d1f797bc8896c70d2fa86ecddec93ec51b57cc6ddee43ad8462be035986cdbef5ae70a
-
Filesize
64B
MD5e54ec1ae28b37b650384d7a43f9fcd4f
SHA12298cf9c400a3621a898083744cfd1193e1a8c54
SHA256f3509118b2d370ded110eab66462e400c509f5fd79f0e4c18be84d6a2150324b
SHA51237bb1b259af926aea8593fa8f4b7ff6d8e9b99db59176644e9b20a5ba370d74e64c9a252feb5d9979a890c27b1e50f58b24e7af2fa2221327b1044aadd5508c5
-
Filesize
3.5MB
MD56d48d76a4d1c9b0ff49680349c4d28ae
SHA11bb3666c16e11eff8f9c3213b20629f02d6a66cb
SHA2563f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d
SHA51209a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9
-
Filesize
1.1MB
MD5a3bf8e33948d94d490d4613441685eee
SHA175ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA25691c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28
-
Filesize
1.0MB
MD5bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA13aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1
-
Filesize
1.1MB
MD5945d225539becc01fbca32e9ff6464f0
SHA1a614eb470defeab01317a73380f44db669100406
SHA256c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a
SHA512409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a
-
Filesize
246KB
MD5b77328da7cead5f4623748a70727860d
SHA113b33722c55cca14025b90060e3227db57bf5327
SHA25646541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA5122f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2
-
Filesize
512KB
MD519d7cc4377f3c09d97c6da06fbabc7dc
SHA13a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA51223711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a
-
Filesize
4.0MB
MD507244a2c002ffdf1986b454429eace0b
SHA1d7cd121caac2f5989aa68a052f638f82d4566328
SHA256e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA5124a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca
-
Filesize
226B
MD5950c6dd3845ac4c8dee7f408e3aaa0bc
SHA182838d154c73b8a6dd63d9ef137bda00c70ec68b
SHA2560e71bed02033967e5b4a0f623a1764ebd8aff8f56bb7f1f86e0aabd6d2dac229
SHA51258a1842b83d973f3b7b6aae8e864c0e49f34eefbcc42dc53193df75e0dc5c854f8c4201f6afd8a4eeea350b9b737264d5290679ca12143b1c17096c5517021ed
-
Filesize
121KB
MD56f98da9e33cd6f3dd60950413d3638ac
SHA1e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA5122983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c