Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe
Resource
win7-20241023-en
General
-
Target
a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe
-
Size
532KB
-
MD5
5b326747c5de6d0b684c576cd7a9ebd2
-
SHA1
b0e22988ec66ed6337e407d264ebf48264fa0a22
-
SHA256
a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9
-
SHA512
67ee810ba34c860a7f68399b2c4ca1916004e983108e51ea43b8dc6272e0facf2b627a293493f57b489aecbaf8e253bc8824fc18d172275955feff2bc32d438f
-
SSDEEP
12288:fCiN9vp/FpHRdjWouP02XXV8Q0x9NkGBjOftD0gQWGMtV:fC2/dBjWo8iQ0DzBKtD02D
Malware Config
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 3 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2036 a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe 2036 a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe 2036 a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe 2036 a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2036 a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe"C:\Users\Admin\AppData\Local\Temp\a6c2a90a390e77076ff0fca78301e2e8ac7adf38ec3b55442af5110424c573e9.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510b13027038cb3c35042c196f7dde0e4
SHA189b9aca4c4d6f3617a1b7a5497b9879b780a3e97
SHA25689dcd212271696505191eb2f0d0b33a80d28971f232c6f15ae95808c21a66496
SHA512bd67d9381bf054bb54550f8c6305fac8699057b5330d01bde0b34bd449bb4f93d273386fdf43eb3faa9de7de79c508015acb7e1ffa06c3e6daa672b08c0c5135
-
Filesize
685B
MD5f70efe00fca585065d1c6d57eb3eb0ee
SHA1c4089ecaf16ef4c842e0ed210ce78a2bc22e2a1a
SHA2567a516e18a6b2eb81136b00fc4751127a7942109f002adda4a19586d8f12de5ee
SHA5127d308d6e324afa631e3d8ed431a11aa82adb8cd61b5f724c5fa4545a573118f6daef4535f3ad9c5262c1f3937a6a02a0e7a45d324f35d73216aa1158d626c5f2
-
Filesize
1KB
MD58b901772582f57aef4b15a13c38be2c4
SHA1ddce54b9f7da872cd6199854cd483eed9567bb97
SHA2563e928b72ca401191e1d0134a6983527135c01d69c54b3b57c14d4a062a646ef1
SHA512e35cd58d6c3b7b1e7a5fbcf9285fac286562cb83f22a591a3234ef72a1dc6856733b282396a7c48adc85372d90a43d1fd72777425ac3650b57eeff1951b681a0
-
Filesize
1KB
MD51cf60c66e61047b0060f9b38cec31657
SHA1ef1beee47437a9adb44051d70fd3481856069106
SHA256367603f7a3743b637095cc9b4b6545154907099a11d78e4788b2c348bfac1581
SHA5120e408e42475680ff36c76a2e5b82d602ddc6829b459e7b051b663d1e39b278af1fd6652e55a09aa9310d11ccbd8c197a422fef9509a05b45fbe727c03f2ef8d3