Analysis
-
max time kernel
119s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/11/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe
Resource
win10v2004-20241007-en
General
-
Target
be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe
-
Size
560KB
-
MD5
8d67009d0a7a4b5feb69b4d1e14df73c
-
SHA1
e7e25fc3c7816bee6b094525a894e8a7c0b18848
-
SHA256
be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6
-
SHA512
987bf51639d9602c51ced91356f6f73e122c1693335c4c0b36608705008cd490a3d845560a14d39d2e3f2ce67fbf0870d226d5a32030fb258b8f2b455a1861c6
-
SSDEEP
12288:SCfiaVM5GHMoVZYL0VCFQYAAA22zQ5I/slShaMZucL7kp:SYiJ5kVZglAB22zQ56Lja
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2456 powershell.exe 2928 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2656 set thread context of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 2456 powershell.exe 2928 powershell.exe 1080 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1080 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2456 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 30 PID 2656 wrote to memory of 2456 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 30 PID 2656 wrote to memory of 2456 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 30 PID 2656 wrote to memory of 2456 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 30 PID 2656 wrote to memory of 2928 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 32 PID 2656 wrote to memory of 2928 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 32 PID 2656 wrote to memory of 2928 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 32 PID 2656 wrote to memory of 2928 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 32 PID 2656 wrote to memory of 1016 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 34 PID 2656 wrote to memory of 1016 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 34 PID 2656 wrote to memory of 1016 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 34 PID 2656 wrote to memory of 1016 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 34 PID 2656 wrote to memory of 1428 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 36 PID 2656 wrote to memory of 1428 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 36 PID 2656 wrote to memory of 1428 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 36 PID 2656 wrote to memory of 1428 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 36 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 PID 2656 wrote to memory of 1080 2656 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe"C:\Users\Admin\AppData\Local\Temp\be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JIlApjvRxj.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD662.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe"C:\Users\Admin\AppData\Local\Temp\be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe"2⤵PID:1428
-
-
C:\Users\Admin\AppData\Local\Temp\be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe"C:\Users\Admin\AppData\Local\Temp\be9412060a9d41f496e907a637096255fa848a8ecb4bb4b35043f2e71ca871f6.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1080
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5393e85e69347f0d43e7e5c84e1a79ee5
SHA1e0c4eea0536d347f7d91bc6a0787f95b08f93ab3
SHA256aad5acd2447f6a689be1b4711ea4673e1a798dee42653dbd6d082501ed2c6920
SHA512eaec2e2e54a6438f8e23117fc1633da162bbab4fb2031befbe3e468b9a5e917b58a166acb358b1fd681662825ac3cdf75ef6d7ac0bc83d0ae448215e41bacc9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\411ZLQEBKXN3CPB50ILD.temp
Filesize7KB
MD5f065b20b27cf93288118d1fa3d4e64a0
SHA15ce92bee216e24e806da91371928a59f2821504f
SHA25672e7251be299db8f6f390ec57ddb59dc59c2633a400636cfeff1fec6d8ad2123
SHA5122afd57311c3d3fbfb72c0585fc51861e0d731a8ff19c2d2c7963e6235eeee36b1abc5732490c8ef2f4554b1976d2dd8688e78d3e49fbc8d74c73d913e252c40a