Analysis

  • max time kernel
    117s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/11/2024, 07:58

General

  • Target

    66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe

  • Size

    518KB

  • MD5

    20be611ea4964bbca64e51b103a506b3

  • SHA1

    7baeb297a50bd49bb6e1500d21612e6493c39ada

  • SHA256

    66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd

  • SHA512

    3a35de8a2e1ee6aff4497cf93fc76fed7e2bc42e78522bf62560cfe28e3ecce754cc2906bbaea741fb7b7f134669e85463ec5bb160ec4833749c8ae250534290

  • SSDEEP

    12288:03HI6D3+/w/urQU6PgcnQACyaX5dPIhckBTj+kR:2HIr42rhxaiym5dwv

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
    "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AwudofIDaGp.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AwudofIDaGp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2336
    • C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
      "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp

    Filesize

    1KB

    MD5

    78342268a6726f4f1e9594802300a5de

    SHA1

    3360f560818421f8de4c6f6bec5f0bc030cbec0d

    SHA256

    a79abc92d142cfde72009ff36b2178ad11ca01abd03d8d4d8a238149a266d8ef

    SHA512

    3f686b652be0a82c275d353a132b698abaf1429bffc5b571518b8b865923929d3b97f1184ff220f49e795647922f1a212a18c27673a817cf61cc81daf84a6b26

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9WHH5UPR897CUC5TTE02.temp

    Filesize

    7KB

    MD5

    f10cbda5f6693aea3509fb4b354c0b63

    SHA1

    45c104f37004e9fcad79b7237ba47f9c1feb39ab

    SHA256

    cc3fc6539e1f34c66c192eb104ab643e3a6de2729e0320b9ff880a524397dbc8

    SHA512

    bbfcbce561f3007b34ffff2185ad9ce88b6b16ae088eb3feffa53162890f2cc7061cceab48f33515faed3a81f4150426b20e7b8d9a471f620e54e8b5bb2d38a8

  • memory/1292-4-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

  • memory/1292-32-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/1292-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

  • memory/1292-5-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/1292-6-0x0000000000EF0000-0x0000000000F52000-memory.dmp

    Filesize

    392KB

  • memory/1292-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/1292-1-0x0000000001310000-0x0000000001394000-memory.dmp

    Filesize

    528KB

  • memory/1292-3-0x0000000000550000-0x0000000000562000-memory.dmp

    Filesize

    72KB

  • memory/1296-19-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1296-29-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1296-28-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1296-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1296-25-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1296-23-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1296-21-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1296-31-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB