Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2024, 11:36

General

  • Target

    712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe

  • Size

    376KB

  • MD5

    7eda0c1fc67c5ead8bcd2ce416e32f80

  • SHA1

    95ac24f1d0117b95b0dc2576d718b972b03349b0

  • SHA256

    712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1

  • SHA512

    15b0e2815f15b950c012a48c3a09fe024432a4048be0cda124bd64a331d863af435a6caabfbada8c3d294a13dd71415505dd1b93d3a6c785b2afdc713dfe6974

  • SSDEEP

    6144:0/rdtbLPUgwRPx2eNAvC2EeHMulFGg+0LgMxU/EwGJkxYlyX7ywBASWnQdFydgif:0/LzUDVx9NASkWRMSGJ6XuuVWQdFag53

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
    "C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzmrcd2q.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE27.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE26.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2736
    • C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
      C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2708

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESEE27.tmp

          Filesize

          1KB

          MD5

          82f625436ab88e3c2cf806b48bdd1378

          SHA1

          bb886e580652e79864791e3aa341b981ad6cc8a3

          SHA256

          91b10e96bca90011c2333bf916f226c464c8e9923996b878297886569c8ed32f

          SHA512

          d2fee939d159d2ec329ef1a9d2c58c963fd8770fb0270f1a7af72bf125b6a553d5e19d7b2d168d409cc6619ab8fd8edd375331eebbba5b053c403d1f7e44d969

        • C:\Users\Admin\AppData\Local\Temp\yzmrcd2q.dll

          Filesize

          5KB

          MD5

          0e27754d04f04cd13d09fe7103dc2112

          SHA1

          30c59081743c7c52e4eb7b3deeb65d94e53a3995

          SHA256

          aa03af7a753d24c102ee8e9130a3b6b3800b2652d30faf74637d0c32d832eb5d

          SHA512

          d3ed5460ab67b43fd08a8003d73a0cc493cbb00dd17c981bc42d4e0d094538a6d2d52fecbf3afa7bdf0bdee9028ba6ba6bc7bc67c7678f8347a579b9006aa0dc

        • C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe

          Filesize

          6KB

          MD5

          d89fdbb4172cee2b2f41033e62c677d6

          SHA1

          c1917b579551f0915f1a0a8e8e3c7a6809284e6b

          SHA256

          2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

          SHA512

          48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

        • \??\c:\Users\Admin\AppData\Local\Temp\CSCEE26.tmp

          Filesize

          652B

          MD5

          6a9043f0d3023726547aea3bcb95e374

          SHA1

          da9c8c71dfb9d0c53cc879142de89adf4971a825

          SHA256

          4dacb2898bcfdb22a24f8a2b75bc6a9d53c34fa4cb9d1fd94d34746420b1ede0

          SHA512

          8af9e0e74e1478a1a605c324f2e38f3c00e3fe6bf7525f5ed62515676b8c3367f2c0f60050c977606204d425b60e44bf5c25fbb20d2269d2529e47561607b10d

        • \??\c:\Users\Admin\AppData\Local\Temp\yzmrcd2q.0.cs

          Filesize

          5KB

          MD5

          cb25540570735d26bf391e8b54579396

          SHA1

          135651d49409214d21348bb879f7973384a7a8cb

          SHA256

          922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

          SHA512

          553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

        • \??\c:\Users\Admin\AppData\Local\Temp\yzmrcd2q.cmdline

          Filesize

          206B

          MD5

          fac0cee2f983bc3d8218c914544cc64c

          SHA1

          ce6a6e4069202b2d663503263650fe7badfb8c12

          SHA256

          fd95f0b290b24697ba06056a359626fd71acbebd7aff6aeeae07f2d75b05ea63

          SHA512

          87379d3d688c850a866eac867b31d723318b4d1b8129dae9761261b4363935bb4889caa4dc96dd2b977d856ae52bf6da9e652b42179e5fd0e8d34bc3ca848616

        • memory/2148-1-0x0000000074D60000-0x000000007530B000-memory.dmp

          Filesize

          5.7MB

        • memory/2148-2-0x0000000074D60000-0x000000007530B000-memory.dmp

          Filesize

          5.7MB

        • memory/2148-39-0x0000000074D60000-0x000000007530B000-memory.dmp

          Filesize

          5.7MB

        • memory/2148-0-0x0000000074D61000-0x0000000074D62000-memory.dmp

          Filesize

          4KB

        • memory/2708-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2708-25-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-38-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-37-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-34-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-31-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-30-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-29-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-27-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2708-42-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2812-15-0x0000000074D60000-0x000000007530B000-memory.dmp

          Filesize

          5.7MB

        • memory/2812-8-0x0000000074D60000-0x000000007530B000-memory.dmp

          Filesize

          5.7MB