Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
Resource
win10v2004-20241007-en
General
-
Target
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
-
Size
376KB
-
MD5
7eda0c1fc67c5ead8bcd2ce416e32f80
-
SHA1
95ac24f1d0117b95b0dc2576d718b972b03349b0
-
SHA256
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1
-
SHA512
15b0e2815f15b950c012a48c3a09fe024432a4048be0cda124bd64a331d863af435a6caabfbada8c3d294a13dd71415505dd1b93d3a6c785b2afdc713dfe6974
-
SSDEEP
6144:0/rdtbLPUgwRPx2eNAvC2EeHMulFGg+0LgMxU/EwGJkxYlyX7ywBASWnQdFydgif:0/LzUDVx9NASkWRMSGJ6XuuVWQdFag53
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2708 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe -
Loads dropped DLL 2 IoCs
pid Process 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2812 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 31 PID 2148 wrote to memory of 2812 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 31 PID 2148 wrote to memory of 2812 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 31 PID 2148 wrote to memory of 2812 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 31 PID 2812 wrote to memory of 2736 2812 csc.exe 33 PID 2812 wrote to memory of 2736 2812 csc.exe 33 PID 2812 wrote to memory of 2736 2812 csc.exe 33 PID 2812 wrote to memory of 2736 2812 csc.exe 33 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34 PID 2148 wrote to memory of 2708 2148 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe"C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzmrcd2q.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE27.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE26.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
-
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exeC:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD582f625436ab88e3c2cf806b48bdd1378
SHA1bb886e580652e79864791e3aa341b981ad6cc8a3
SHA25691b10e96bca90011c2333bf916f226c464c8e9923996b878297886569c8ed32f
SHA512d2fee939d159d2ec329ef1a9d2c58c963fd8770fb0270f1a7af72bf125b6a553d5e19d7b2d168d409cc6619ab8fd8edd375331eebbba5b053c403d1f7e44d969
-
Filesize
5KB
MD50e27754d04f04cd13d09fe7103dc2112
SHA130c59081743c7c52e4eb7b3deeb65d94e53a3995
SHA256aa03af7a753d24c102ee8e9130a3b6b3800b2652d30faf74637d0c32d832eb5d
SHA512d3ed5460ab67b43fd08a8003d73a0cc493cbb00dd17c981bc42d4e0d094538a6d2d52fecbf3afa7bdf0bdee9028ba6ba6bc7bc67c7678f8347a579b9006aa0dc
-
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
Filesize6KB
MD5d89fdbb4172cee2b2f41033e62c677d6
SHA1c1917b579551f0915f1a0a8e8e3c7a6809284e6b
SHA2562cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383
SHA51248941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed
-
Filesize
652B
MD56a9043f0d3023726547aea3bcb95e374
SHA1da9c8c71dfb9d0c53cc879142de89adf4971a825
SHA2564dacb2898bcfdb22a24f8a2b75bc6a9d53c34fa4cb9d1fd94d34746420b1ede0
SHA5128af9e0e74e1478a1a605c324f2e38f3c00e3fe6bf7525f5ed62515676b8c3367f2c0f60050c977606204d425b60e44bf5c25fbb20d2269d2529e47561607b10d
-
Filesize
5KB
MD5cb25540570735d26bf391e8b54579396
SHA1135651d49409214d21348bb879f7973384a7a8cb
SHA256922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743
SHA512553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080
-
Filesize
206B
MD5fac0cee2f983bc3d8218c914544cc64c
SHA1ce6a6e4069202b2d663503263650fe7badfb8c12
SHA256fd95f0b290b24697ba06056a359626fd71acbebd7aff6aeeae07f2d75b05ea63
SHA51287379d3d688c850a866eac867b31d723318b4d1b8129dae9761261b4363935bb4889caa4dc96dd2b977d856ae52bf6da9e652b42179e5fd0e8d34bc3ca848616