Malware Analysis Report

2024-12-07 19:04

Sample ID 241114-bjdjqs1phy
Target a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18
SHA256 a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18
Tags
credential_access discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18

Threat Level: Shows suspicious behavior

The file a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery persistence spyware stealer

Executes dropped EXE

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 01:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 01:10

Reported

2024-11-14 01:12

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\outlook.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe

"C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 smtp.google.com udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
GB 64.233.166.27:25 smtp.google.com tcp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 8.8.8.8:53 thawte-com.mail.protection.outlook.com udp
US 52.101.9.14:25 thawte-com.mail.protection.outlook.com tcp
US 52.101.9.17:25 thawte-com.mail.protection.outlook.com tcp
US 52.101.194.0:25 thawte-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 natalya.videolan.org udp
FR 213.36.253.119:25 natalya.videolan.org tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
DK 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 adobe.mail.protection.outlook.com udp
US 52.101.194.19:25 adobe.mail.protection.outlook.com tcp

Files

memory/2980-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

memory/2980-25-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2748-46-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2748-71-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2748-88-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2748-89-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2748-90-0x0000000000400000-0x000000000047E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 01:10

Reported

2024-11-14 01:12

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe"

Signatures

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\outlook.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File created C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File opened for modification C:\Windows\outlook.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File opened for modification C:\Windows\sys32.exe C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
File opened for modification C:\Windows\outlook.cfg C:\Windows\outlook.exe N/A
File created C:\Windows\crc32.cfg C:\Windows\outlook.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\outlook.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\outlook.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe

"C:\Users\Admin\AppData\Local\Temp\a472cf17fc774b404d3330583df139bf98443e215e780dc6356e8c907e451b18.exe"

C:\Windows\outlook.exe

C:\Windows\outlook.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 38980

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:1434 tcp
N/A 127.0.0.1:1433 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 smtp.google.com udp
US 8.8.8.8:53 inbound-reply.s7.exacttarget.com udp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
US 136.147.189.244:25 inbound-reply.s7.exacttarget.com tcp
GB 64.233.166.27:25 smtp.google.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 incoming-relays.illinois.edu udp
US 8.8.8.8:53 nokia-com.mail.protection.outlook.com udp
US 148.163.135.28:25 incoming-relays.illinois.edu tcp
IE 52.101.68.39:25 nokia-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4840-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\outlook.exe

MD5 0e9379e357aba95f8b9883af9b67675e
SHA1 280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA256 96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA512 6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

C:\Windows\outlook.cfg

MD5 c19aad2e5b26747970fbe045bf6beba4
SHA1 7bbec1f5c6536fa159238746e23b9d703f155217
SHA256 3a232c9dfcaa3967bb58aeedfa7ac948b50f79457dc24ce5e26fe7d27accb4a5
SHA512 8be1a2b34277db2a47a51b25e1a23d94ba48fab98cbcc554b11e7f928c0c6b2e4b3fc8706e3ecd094bdb3d7bc51a2760a65e839e25ee84fb97d1de052962d1cd

memory/4840-25-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1828-106-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\outlook.cfg

MD5 7c48c983a5c7d86790d82122cbda5803
SHA1 946483f6245f5f811b173c178daa32c98919cffe
SHA256 f8fd20d1d47f3e189862451105beeda378ab03d84c44ef0251e965f11893c612
SHA512 a0b6082af2bfac351c4bd294e91f43b0fadc4858d347fd39eb105a8b2165c54b874640fcc3eb2c6b4c67cb0c82e441352c96e2e7801cab40fea51e66d0159219

memory/1828-132-0x0000000000400000-0x000000000047E000-memory.dmp