Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
Resource
win10v2004-20241007-en
General
-
Target
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
-
Size
518KB
-
MD5
20be611ea4964bbca64e51b103a506b3
-
SHA1
7baeb297a50bd49bb6e1500d21612e6493c39ada
-
SHA256
66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd
-
SHA512
3a35de8a2e1ee6aff4497cf93fc76fed7e2bc42e78522bf62560cfe28e3ecce754cc2906bbaea741fb7b7f134669e85463ec5bb160ec4833749c8ae250534290
-
SSDEEP
12288:03HI6D3+/w/urQU6PgcnQACyaX5dPIhckBTj+kR:2HIr42rhxaiym5dwv
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2724 powershell.exe 2900 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2216 set thread context of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 2724 powershell.exe 2900 powershell.exe 1496 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Token: SeDebugPrivilege 1496 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2724 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 2216 wrote to memory of 2724 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 2216 wrote to memory of 2724 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 2216 wrote to memory of 2724 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 31 PID 2216 wrote to memory of 2900 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 2216 wrote to memory of 2900 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 2216 wrote to memory of 2900 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 2216 wrote to memory of 2900 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 33 PID 2216 wrote to memory of 3028 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 2216 wrote to memory of 3028 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 2216 wrote to memory of 3028 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 2216 wrote to memory of 3028 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 35 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 PID 2216 wrote to memory of 1496 2216 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AwudofIDaGp.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AwudofIDaGp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"C:\Users\Admin\AppData\Local\Temp\66c79ac72ae7d06167cff941e73c5f3ba525606316b3f9bfbdac8db3031136fd.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1496
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a2b6d85928d48f8875482bd529e640a0
SHA136c3386a61b0d3c2dc927310079cf342c46424f2
SHA256528099221053ffc50b841fdb578ba999409f7a2c8248b85cce84624a8b1bcf66
SHA5127b4367c5ba26bd488b07191ad1cd4aaf381abd2b70ee2e73f7e124b4b569e1b58eddef59ee269ea8051e602b2dd5973a9752cb29df4da74ad63cd907f2c11c41
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZL6K1RAJD2ZO4AMFIX67.temp
Filesize7KB
MD54c0b32cbf6d25ef16ca6955d6bf42b08
SHA164bf9c796417902af5a0ec3b021aae50ccad684d
SHA25628b9acfb7690ba58357c04d3dce936a22b2e394c2270002f678d82996e4c4c69
SHA512f625723662645e5360efcb27aa91c46f62dedf524106f1b3cbacdd28ffdb0e41faa4c6321a664bb2788b0bb9c67fb22bb66d5661d7e0a4875b43a56202f99e12