Analysis
-
max time kernel
117s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/11/2024, 07:58
Static task
static1
Behavioral task
behavioral1
Sample
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
Resource
win10v2004-20241007-en
General
-
Target
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
-
Size
518KB
-
MD5
20be611ea4964bbca64e51b103a506b3
-
SHA1
7baeb297a50bd49bb6e1500d21612e6493c39ada
-
SHA256
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd
-
SHA512
3a35de8a2e1ee6aff4497cf93fc76fed7e2bc42e78522bf62560cfe28e3ecce754cc2906bbaea741fb7b7f134669e85463ec5bb160ec4833749c8ae250534290
-
SSDEEP
12288:03HI6D3+/w/urQU6PgcnQACyaX5dPIhckBTj+kR:2HIr42rhxaiym5dwv
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2848 powershell.exe 2864 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1292 set thread context of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2336 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2848 powershell.exe 2864 powershell.exe 1296 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 1296 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2864 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 1292 wrote to memory of 2864 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 1292 wrote to memory of 2864 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 1292 wrote to memory of 2864 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 1292 wrote to memory of 2848 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 1292 wrote to memory of 2848 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 1292 wrote to memory of 2848 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 1292 wrote to memory of 2848 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 1292 wrote to memory of 2336 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 1292 wrote to memory of 2336 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 1292 wrote to memory of 2336 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 1292 wrote to memory of 2336 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 1292 wrote to memory of 1296 1292 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AwudofIDaGp.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AwudofIDaGp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1296
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD578342268a6726f4f1e9594802300a5de
SHA13360f560818421f8de4c6f6bec5f0bc030cbec0d
SHA256a79abc92d142cfde72009ff36b2178ad11ca01abd03d8d4d8a238149a266d8ef
SHA5123f686b652be0a82c275d353a132b698abaf1429bffc5b571518b8b865923929d3b97f1184ff220f49e795647922f1a212a18c27673a817cf61cc81daf84a6b26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9WHH5UPR897CUC5TTE02.temp
Filesize7KB
MD5f10cbda5f6693aea3509fb4b354c0b63
SHA145c104f37004e9fcad79b7237ba47f9c1feb39ab
SHA256cc3fc6539e1f34c66c192eb104ab643e3a6de2729e0320b9ff880a524397dbc8
SHA512bbfcbce561f3007b34ffff2185ad9ce88b6b16ae088eb3feffa53162890f2cc7061cceab48f33515faed3a81f4150426b20e7b8d9a471f620e54e8b5bb2d38a8