Analysis
-
max time kernel
118s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe
Resource
win7-20240903-en
General
-
Target
2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe
-
Size
1.3MB
-
MD5
933664b3f16b81ea73630f452f38dfb0
-
SHA1
949de343b8d0d5581741e0187cdd7750017f7559
-
SHA256
2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08
-
SHA512
643eea8549b0cf3ebb071b0d96be40991e187538807eee698ca8344ed25b2d3814c8e5ecf3d995648a10d8444852ff883a73e4296c7056d5a8f0dc0c4ac794a6
-
SSDEEP
24576:g33RSdYIE20sCYUQxEnZ4NGAARdYRUuLHEwpzxz0DLacT06:gnRSdksCYiZ6AuLHEwpdz0DucT5
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4396 crp1190.exe 4632 Setup.exe 4956 Setup.exe -
Loads dropped DLL 2 IoCs
pid Process 4632 Setup.exe 4972 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crp1190.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap Setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a5357170b670343175d334723435d133347335d0b670b735d6773234b13035357673347c35a060101013e85c49f001d5c0b53 Setup.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe 4632 Setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4632 Setup.exe Token: SeTakeOwnershipPrivilege 4632 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3052 wrote to memory of 4396 3052 2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe 90 PID 3052 wrote to memory of 4396 3052 2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe 90 PID 3052 wrote to memory of 4396 3052 2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe 90 PID 4396 wrote to memory of 4632 4396 crp1190.exe 91 PID 4396 wrote to memory of 4632 4396 crp1190.exe 91 PID 4396 wrote to memory of 4632 4396 crp1190.exe 91 PID 4632 wrote to memory of 4956 4632 Setup.exe 97 PID 4632 wrote to memory of 4956 4632 Setup.exe 97 PID 4632 wrote to memory of 4956 4632 Setup.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe"C:\Users\Admin\AppData\Local\Temp\2aa2b580e8c7e86a56979120547ae483c32e5455d56fbb6951fc4b2d60784d08N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\crp1190.exe-aflt=babsst -affilid=123713 -srcext=ss -s -instlRef=sst -mds -mhp -mnt -mtb2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\9FC9B5EE-BAB0-7891-B5DB-870E96359C1B\Setup.exe"C:\Users\Admin\AppData\Local\Temp\9FC9B5EE-BAB0-7891-B5DB-870E96359C1B\Setup.exe" -aflt=babsst -srcext=ss -s -instlref=sst -xprm="cat=delta" -aflt=babsst -affilid=123713 -srcext=ss -s -instlRef=sst -mds -mhp -mnt -mtb3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\9FC9B5~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\9FC9B5EE-BAB0-7891-B5DB-870E96359C1B\Latest\Setup.exeC:\Users\Admin\AppData\Local\Temp\9FC9B5EE-BAB0-7891-B5DB-870E96359C1B\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -aflt=babsst -srcext=ss -s -instlref=sst -xprm="cat=delta" -aflt=babsst -affilid=123713 -srcext=ss -s -instlRef=sst -mds -mhp -mnt -mtb4⤵
- Executes dropped EXE
PID:4956
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55e6230b3b16798e23720958756ac6d9e
SHA1c7bcb001c48a67d4c9d6e70e92473ebd85b30585
SHA256d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2
SHA5126b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae
-
Filesize
129KB
MD5b212865e7e478a28a97268f960079a8d
SHA1ded201ae02fb9ea3646489afeda49270c4620d9c
SHA256d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6
SHA512d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737
-
Filesize
12KB
MD5825e5733974586a0a1229a53361ed13e
SHA19ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA2560a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e
-
Filesize
644B
MD5f50fa4673555652289652753183fd1ee
SHA1f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA5126e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da
-
Filesize
926B
MD50c464e407c81764ebc09eacbe41f0b3e
SHA1245afe550a05215e5873d8f5f21c22d12aa46b6a
SHA256770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26
SHA51271070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc
-
Filesize
3KB
MD526621cb27bbc94f6bab3561791ac013b
SHA14010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA5129a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6
-
Filesize
8KB
MD55790a04f78c61c3caea7ddd6f01829d2
SHA19d783d964338a5378280dd3c3b72519d11f73ffa
SHA256726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606
SHA5129134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0
-
Filesize
1.8MB
MD5c18f926ec58cc6e0b25e02feb22abfe5
SHA13097fbb717307a1e94b7b5a245a5ba611150a5b6
SHA256b3b9cfb1e64cd84013bb43d9ff779a854f3f048a04e5b00052df38914f6d8a77
SHA512e5462ae26b185ef12ffbb48762c387be6e32649b64eb1c7584d88fc2ead509eab46d401df7007869314a385a41a1db0e519c29850279f1608453bffc7fdd86f8
-
Filesize
89KB
MD5407846797c5ba247abeb5fa7c0c0ba05
SHA144386455eed8e74d75e95e9e81e96a19f0b27884
SHA2560147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA5127399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af
-
Filesize
205B
MD590713ab7a74884cd36a5fb4cfcdece8a
SHA17bb56d08fd69a98e543b923bd0a9156f92a9c473
SHA256bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb
SHA512639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191
-
Filesize
174B
MD54f6e1fdbef102cdbd379fdac550b9f48
SHA15da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA51254efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe
-
Filesize
249B
MD5a4af0a0c254b38f2f9eecbf0e00b08fe
SHA1ef730bce77699730dda378dc444b997ce7ceea7a
SHA256810e0e32d54b9e1557da7ccf1ca9f6354814e90dadc6b4af5e1cbdf87fac925a
SHA512b74596e55e75413303559c135db393a04d6fd6cbab147a51ac2f46435f52b92b82868de4e67917a7b388d82c672fa36b525b88e2eefe7ec40695f028395dcd84
-
Filesize
234B
MD56358860cd0c336c1f91f86be701d77c4
SHA15dd38b818bf0860b4c5144ba670a759d4345e4ec
SHA2562ed42e3c958eb21352bae4b00db2fa5be94149abc64eec93e5258b9c4a715457
SHA5127df3b3e1487d3a65000b6208969f1e695815133c052f369beb36877fe5c6f64d979aefd030a193b04a5e46fb0d97a3cc06837aa381efe6bc24a0c084c768dac1
-
Filesize
178B
MD50b7be9c4b72c2c5166bfd61ca5ebbfed
SHA1aea0aa4e8226c1b4efce92e909da773744baa6d4
SHA256673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd
SHA5124dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8
-
Filesize
174B
MD57e72d256e34635d351092955d1f8516b
SHA17f240f8f4bd61ae59247d84d0ec85f5bc8729f36
SHA25639eb1667a67149b5d930e5408896027e3c3fc06282735e61cb8d85f5b38f587c
SHA512621eb4bf2864db2fa0f861c233ced790124e9060c081948beb7117f8c058a36ecca23ee05ce2d6d42af15533c050f648d276589682d91dfe699ebe871cc9ae8c
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
6KB
MD5a21de5067618d4f2df261416315ed120
SHA17759a3318de2abc3755ebb7f50322c6d586b5286
SHA2566d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA5126b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a
-
Filesize
767KB
MD5fc21d8e387dbcd2e627b97bfc5b8f5cd
SHA137ccad86409e08816a4c00f1dbea4604ba36d3a1
SHA2566054b54a561df69b21ac35c5e76a3661412b404ff7404cfca1d49be20900a96a
SHA5126d00db1000e2437b2c2fcf5d24992a4b36557f88b6083b3014184102e95933c41e13e5b0684e3795a945e2b129d9db6136f4cb2166958b51e4e5a4ca9111c5d5