Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 05:52
Static task
static1
Behavioral task
behavioral1
Sample
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe
Resource
win10v2004-20241007-en
General
-
Target
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe
-
Size
149KB
-
MD5
28a2d26c4a1bddce322390158ed4ed09
-
SHA1
5ce8a1fa88377290be9de1d8a5e5bdb757e91ab5
-
SHA256
6d037c00c6903f7757dbd5988e94beabc339efb5a6842073a344e3c96524d553
-
SHA512
84a795425968275b28ce6cdc92547ef6813ec4e26427eb4bfc5ab3bb6c23b7e9dc73874cc8db4fbe383db7582f8eb157d5f67ecdc3886eddd414f06cc932b8cf
-
SSDEEP
3072:/gSrM/6it0GX9EZ9gzkFaADPICPUs/A6uD5:VM/Xt0GXGgdAMLsul
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe" 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exedescription ioc process File created C:\autorun.inf 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe File opened for modification C:\autorun.inf 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe File created F:\autorun.inf 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe File opened for modification F:\autorun.inf 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exepid process 2236 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exedescription pid process Token: SeDebugPrivilege 2236 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exepid process 2236 17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe"C:\Users\Admin\AppData\Local\Temp\17323410654ba047ce7c5797dc32293f05843ac92549fe6f348274a47d928019d0a4e85853103.dat-decoded.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD528a2d26c4a1bddce322390158ed4ed09
SHA15ce8a1fa88377290be9de1d8a5e5bdb757e91ab5
SHA2566d037c00c6903f7757dbd5988e94beabc339efb5a6842073a344e3c96524d553
SHA51284a795425968275b28ce6cdc92547ef6813ec4e26427eb4bfc5ab3bb6c23b7e9dc73874cc8db4fbe383db7582f8eb157d5f67ecdc3886eddd414f06cc932b8cf