Resubmissions
14-11-2024 20:16
241114-y17kgasjcy 814-11-2024 20:16
241114-y16yyasjcx 814-11-2024 20:16
241114-y16ceawlep 814-11-2024 20:16
241114-y152mswlen 814-11-2024 20:16
241114-y15qwawlem 814-11-2024 20:16
241114-y15e4sseql 814-11-2024 20:16
241114-y145cawlel 814-11-2024 20:16
241114-y14tkssjcv 814-11-2024 20:01
241114-yrs1qasemc 8General
-
Target
https://cdn.discordapp.com/attachments/1305353924756377623/1306340439401566318/extractmytoken.exe?ex=6737a157&is=67364fd7&hm=6aa355a095dc6f35d65d99f149cd7c4ce3ddaae62a6340f21503a2e25f794695&
-
Sample
241114-y15e4sseql
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1305353924756377623/1306340439401566318/extractmytoken.exe?ex=6737a157&is=67364fd7&hm=6aa355a095dc6f35d65d99f149cd7c4ce3ddaae62a6340f21503a2e25f794695&
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1305353924756377623/1306340439401566318/extractmytoken.exe?ex=6737a157&is=67364fd7&hm=6aa355a095dc6f35d65d99f149cd7c4ce3ddaae62a6340f21503a2e25f794695&
-
Downloads MZ/PE file
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1