Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2024, 01:56

General

  • Target

    66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe

  • Size

    518KB

  • MD5

    20be611ea4964bbca64e51b103a506b3

  • SHA1

    7baeb297a50bd49bb6e1500d21612e6493c39ada

  • SHA256

    66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd

  • SHA512

    3a35de8a2e1ee6aff4497cf93fc76fed7e2bc42e78522bf62560cfe28e3ecce754cc2906bbaea741fb7b7f134669e85463ec5bb160ec4833749c8ae250534290

  • SSDEEP

    12288:03HI6D3+/w/urQU6PgcnQACyaX5dPIhckBTj+kR:2HIr42rhxaiym5dwv

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
    "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AwudofIDaGp.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2900
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AwudofIDaGp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3028
    • C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
      "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1496

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp

          Filesize

          1KB

          MD5

          a2b6d85928d48f8875482bd529e640a0

          SHA1

          36c3386a61b0d3c2dc927310079cf342c46424f2

          SHA256

          528099221053ffc50b841fdb578ba999409f7a2c8248b85cce84624a8b1bcf66

          SHA512

          7b4367c5ba26bd488b07191ad1cd4aaf381abd2b70ee2e73f7e124b4b569e1b58eddef59ee269ea8051e602b2dd5973a9752cb29df4da74ad63cd907f2c11c41

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZL6K1RAJD2ZO4AMFIX67.temp

          Filesize

          7KB

          MD5

          4c0b32cbf6d25ef16ca6955d6bf42b08

          SHA1

          64bf9c796417902af5a0ec3b021aae50ccad684d

          SHA256

          28b9acfb7690ba58357c04d3dce936a22b2e394c2270002f678d82996e4c4c69

          SHA512

          f625723662645e5360efcb27aa91c46f62dedf524106f1b3cbacdd28ffdb0e41faa4c6321a664bb2788b0bb9c67fb22bb66d5661d7e0a4875b43a56202f99e12

        • memory/1496-29-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/1496-23-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/1496-21-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/1496-25-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/1496-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1496-28-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/1496-30-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/1496-19-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2216-6-0x0000000004E70000-0x0000000004ED2000-memory.dmp

          Filesize

          392KB

        • memory/2216-1-0x0000000000C80000-0x0000000000D04000-memory.dmp

          Filesize

          528KB

        • memory/2216-0-0x000000007436E000-0x000000007436F000-memory.dmp

          Filesize

          4KB

        • memory/2216-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

          Filesize

          6.9MB

        • memory/2216-3-0x00000000005F0000-0x0000000000602000-memory.dmp

          Filesize

          72KB

        • memory/2216-5-0x0000000074360000-0x0000000074A4E000-memory.dmp

          Filesize

          6.9MB

        • memory/2216-4-0x000000007436E000-0x000000007436F000-memory.dmp

          Filesize

          4KB

        • memory/2216-31-0x0000000074360000-0x0000000074A4E000-memory.dmp

          Filesize

          6.9MB