Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2024, 20:48

General

  • Target

    3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe

  • Size

    126KB

  • MD5

    052760d6853b1951bdfa2135830ef310

  • SHA1

    d3f21fa13cd9da82fb11bdf8aae06e388d2f99e0

  • SHA256

    3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3

  • SHA512

    6d7af5743b1092b1fb6d001a061564d9001c554acc8d1c95346a4fb71597aebf4a94b3e31010311f4da72398415e47aaf4b50596dca6726f3eef40e389e6e926

  • SSDEEP

    1536:i1qcQMheJwmb0LM9vXBhracIDV4mjRLozHSzDLpPL2SornNwlKaYYgpphPVeOg/n:k9hY0wYr2bS/LfoxwlKaovVkqW9f

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe
    "C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"
    1⤵
    • Modifies firewall policy service
    • Adds policy Run key to start application
    • Sets service image path in registry
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    PID:2096

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\msrpc.exe

          Filesize

          126KB

          MD5

          9a7abf0b50b262dd799886182413d037

          SHA1

          7fce224e02e6df3d774f3040110ed53a8afd8fa7

          SHA256

          daba259cbc55db97e8bcc01848310c02ab44ec34d34db4bab3db5eda96f2456a

          SHA512

          9e1ed7abb6e9722c0518ccca2c86b73e03b7a15e808623193078a0cf8ef8502a36faea101f0335e1f2d54252d5707301d43cd98808f2836f4999a879b6356191

        • memory/2096-0-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2096-17-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2096-22-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2096-24-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2096-25-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2096-26-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2096-27-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB