Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 05:52
Static task
static1
Behavioral task
behavioral1
Sample
IBAN Payment confirmation.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IBAN Payment confirmation.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
IBAN Payment confirmation.exe
-
Size
1.1MB
-
MD5
c6405da7bf6402e89bdbbd7e53f8a3ee
-
SHA1
442c0c100d9f8e635e9b6e9db07878903103054a
-
SHA256
e1f2542f3101147997bf37471bb1615d758dae834d354496463e69c60f8ea371
-
SHA512
a20ba8aad10e53d791f0811f06453518d8971a02329f00e0d61537c3a78519fdbe02bc463395ba44bce1893987414647ff7063df4815ff232bb3dd9d2bb3e018
-
SSDEEP
24576:lp7xzos/n1G9l+O/KE8hJKpJzeDgWTvdpomEygOXjM:zxzog1Gph8hazvwUmEygn
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Loads dropped DLL 2 IoCs
pid Process 2356 IBAN Payment confirmation.exe 2356 IBAN Payment confirmation.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 drive.google.com 5 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1576 IBAN Payment confirmation.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2356 IBAN Payment confirmation.exe 1576 IBAN Payment confirmation.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2356 set thread context of 1576 2356 IBAN Payment confirmation.exe 31 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\inconversibility\agouti.ini IBAN Payment confirmation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IBAN Payment confirmation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IBAN Payment confirmation.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2356 IBAN Payment confirmation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1576 IBAN Payment confirmation.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1576 2356 IBAN Payment confirmation.exe 31 PID 2356 wrote to memory of 1576 2356 IBAN Payment confirmation.exe 31 PID 2356 wrote to memory of 1576 2356 IBAN Payment confirmation.exe 31 PID 2356 wrote to memory of 1576 2356 IBAN Payment confirmation.exe 31 PID 2356 wrote to memory of 1576 2356 IBAN Payment confirmation.exe 31 PID 2356 wrote to memory of 1576 2356 IBAN Payment confirmation.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\IBAN Payment confirmation.exe"C:\Users\Admin\AppData\Local\Temp\IBAN Payment confirmation.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\IBAN Payment confirmation.exe"C:\Users\Admin\AppData\Local\Temp\IBAN Payment confirmation.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD517ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5