Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 06:46

General

  • Target

    4962575a2378d5c72e7a836ea766e2ad.exe

  • Size

    431KB

  • MD5

    4962575a2378d5c72e7a836ea766e2ad

  • SHA1

    549964178b12017622d3cbdda6dbfdef0904e7e2

  • SHA256

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

  • SHA512

    911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

  • SSDEEP

    12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4962575a2378d5c72e7a836ea766e2ad.exe
    "C:\Users\Admin\AppData\Local\Temp\4962575a2378d5c72e7a836ea766e2ad.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5100
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\050598569159_Desktop.zip' -CompressionLevel Optimal
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\050598569159_Desktop.zip' -CompressionLevel Optimal
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3152
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2776
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:924
  • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    1⤵
    • Executes dropped EXE
    PID:1944
  • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
    1⤵
    • Executes dropped EXE
    PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    fe3aab3ae544a134b68e881b82b70169

    SHA1

    926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

    SHA256

    bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

    SHA512

    3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    fd252dc779057e73982ed35b2bd253da

    SHA1

    6c3bf7b1dedf640fc90de7bdf3b456d1ffdb1e8c

    SHA256

    372e07ccd9023096ccdff5c060084973b7c21f41179ec95cef0514854fbf05bd

    SHA512

    e2cdd4c229e3a543409db13bb0b40b0e00f642edb2ad50a9108662937ea190ce1212c165dfafdbd0ad2a58b83836afc8e289bd52f3381deffb66caa3b38c68f0

  • C:\Users\Admin\AppData\Local\Temp\050598569159_Desktop.zip

    Filesize

    18KB

    MD5

    0d3aa00f3e5d2a8a54419990aa2eaa8c

    SHA1

    1d384a03d5c358fba8c89c63bbb2ec77964b7215

    SHA256

    5e7059ecca471bc1990a51b78a9546f87dd60e38bb730509d64dd662bd3374b4

    SHA512

    baa0fc556c3e7fcf0bda171c6bf7ecbf461a6b86641f3e90492a00391dee4ee3970f6832a2c4210e3021575b49419f9f06cf294e04e4cbcdb81ad9f69136ae37

  • C:\Users\Admin\AppData\Local\Temp\_Files_\GrantSave.xlsx

    Filesize

    11KB

    MD5

    1f8ef0b2e7a4d9d46aaf737c5359ba4a

    SHA1

    8b85491094058b37beb0344d86eecdf8c246f99b

    SHA256

    4bad34ef4b7b0cb230c756b60cd6a661d6fa0a2615e9dcde0b7326971f986ce5

    SHA512

    7dced85f1e4eddebeb73171665ab7de1e5988173de6328ec9303a557e617b21c12c63e89f4f2bd2164c9347e4a0ecd145ba1859ba700f32a36da6d1d9b907a65

  • C:\Users\Admin\AppData\Local\Temp\_Files_\JoinSearch.xlsx

    Filesize

    11KB

    MD5

    3509278bfa9b5a6344f158100e9920bb

    SHA1

    455405dd8041ff6bcbec3f65e7d43e5f0657f8bc

    SHA256

    39e3881b76986002284d1d3fff9571d5549c4ce257b1b66889e21227bec6a865

    SHA512

    9071c65e1ecb9411c34ce6267468ccdefa4ca51523241971d9b3b38318aa43b10e0b6123d473d7385ab10655a00095c6a9d630fe536f2378bc18e45d0fadf19e

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d5s0f2wh.3k5.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe

    Filesize

    431KB

    MD5

    4962575a2378d5c72e7a836ea766e2ad

    SHA1

    549964178b12017622d3cbdda6dbfdef0904e7e2

    SHA256

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

    SHA512

    911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

  • C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll

    Filesize

    124KB

    MD5

    c2f3fbbbe6d5f48a71b6b168b1485866

    SHA1

    1cd56cfc2dc07880b65bd8a1f5b7147633f5d553

    SHA256

    c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839

    SHA512

    e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a

  • C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll

    Filesize

    1.2MB

    MD5

    c6aabb27450f1a9939a417e86bf53217

    SHA1

    b8ef3bb7575139fd6997379415d7119e452b5fc4

    SHA256

    b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35

    SHA512

    e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944

  • memory/1316-23-0x00000246DE520000-0x00000246DE542000-memory.dmp

    Filesize

    136KB

  • memory/1316-32-0x00000246DE650000-0x00000246DE662000-memory.dmp

    Filesize

    72KB

  • memory/1316-33-0x00000246DC420000-0x00000246DC42A000-memory.dmp

    Filesize

    40KB