Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:11
Static task
static1
Behavioral task
behavioral1
Sample
f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe
Resource
win7-20240903-en
General
-
Target
f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe
-
Size
353KB
-
MD5
dba9c11e2f0b6a3ded91c9c87ce79f72
-
SHA1
6b4b47cd1f9ed1aefe209a40f9c54c1e16db25d6
-
SHA256
f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07
-
SHA512
019009734e53f03eed7f42f638983fd06728fa84844021ae79e3b2bdccc4b0b2701f2779bebde466c327363d0637df9f50bebb253d39a70eec63ba19be9cac12
-
SSDEEP
6144:I/Bg80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:I/s4NTS/x9jNG+w+9OqFoK323qdQYKUG
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016c9d-6.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 2824 EB49.tmp -
Loads dropped DLL 3 IoCs
pid Process 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 2976 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\amd64\jvm.cfg f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\ResetMeasure.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\dllhost.dat f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe File created C:\Windows\f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2780 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 2824 EB49.tmp 2824 EB49.tmp 2824 EB49.tmp 2824 EB49.tmp 2824 EB49.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe Token: SeDebugPrivilege 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe Token: SeTcbPrivilege 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe Token: SeDebugPrivilege 2824 EB49.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2752 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 32 PID 2668 wrote to memory of 2752 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 32 PID 2668 wrote to memory of 2752 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 32 PID 2668 wrote to memory of 2752 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 32 PID 2668 wrote to memory of 2824 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 34 PID 2668 wrote to memory of 2824 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 34 PID 2668 wrote to memory of 2824 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 34 PID 2668 wrote to memory of 2824 2668 f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe 34 PID 2752 wrote to memory of 2780 2752 cmd.exe 36 PID 2752 wrote to memory of 2780 2752 cmd.exe 36 PID 2752 wrote to memory of 2780 2752 cmd.exe 36 PID 2752 wrote to memory of 2780 2752 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe"C:\Users\Admin\AppData\Local\Temp\f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 22:142⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 22:143⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
-
C:\Users\Admin\AppData\Local\Temp\EB49.tmp"C:\Users\Admin\AppData\Local\Temp\EB49.tmp" \\.\pipe\{D334B4A9-3F34-4E23-BB95-8D99E433F98F}2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD57e37ab34ecdcc3e77e24522ddfd4852d
SHA138e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA25602ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA5121b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587