Analysis

  • max time kernel
    120s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 20:48

General

  • Target

    3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe

  • Size

    126KB

  • MD5

    052760d6853b1951bdfa2135830ef310

  • SHA1

    d3f21fa13cd9da82fb11bdf8aae06e388d2f99e0

  • SHA256

    3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3

  • SHA512

    6d7af5743b1092b1fb6d001a061564d9001c554acc8d1c95346a4fb71597aebf4a94b3e31010311f4da72398415e47aaf4b50596dca6726f3eef40e389e6e926

  • SSDEEP

    1536:i1qcQMheJwmb0LM9vXBhracIDV4mjRLozHSzDLpPL2SornNwlKaYYgpphPVeOg/n:k9hY0wYr2bS/LfoxwlKaovVkqW9f

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe
    "C:\Users\Admin\AppData\Local\Temp\3de76f40f5f09bbfac7d73d099dfec5508c507c67723b3b5dcc87b3246358fb3N.exe"
    1⤵
    • Modifies firewall policy service
    • Adds policy Run key to start application
    • Sets service image path in registry
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    PID:4068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\msrpc.exe

          Filesize

          127KB

          MD5

          25e6fc4beb10cd7ebc3bddc9af889b9f

          SHA1

          68bb24ba14860d2540a8bbdcb15e97a924fb102d

          SHA256

          ab1cd7f403714010f5540fabdfdb43835def2d6463141173c76b602d8d1e73ea

          SHA512

          a8fdfbd9363e372341c04e776e5180e3abbb652172145ef4a265c52f93efc71ec40c18f0376e33e0e7079d4e0d3986693914bbf13252340d6e135e56f70a53c3

        • memory/4068-0-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4068-17-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4068-21-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4068-26-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4068-27-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4068-29-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4068-30-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB