Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 21:11

General

  • Target

    f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe

  • Size

    353KB

  • MD5

    dba9c11e2f0b6a3ded91c9c87ce79f72

  • SHA1

    6b4b47cd1f9ed1aefe209a40f9c54c1e16db25d6

  • SHA256

    f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07

  • SHA512

    019009734e53f03eed7f42f638983fd06728fa84844021ae79e3b2bdccc4b0b2701f2779bebde466c327363d0637df9f50bebb253d39a70eec63ba19be9cac12

  • SSDEEP

    6144:I/Bg80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:I/s4NTS/x9jNG+w+9OqFoK323qdQYKUG

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Mimikatz family
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe
    "C:\Users\Admin\AppData\Local\Temp\f593b73c91003518c20cdc8be04f3a1f8a68ca3ded04700f675a543ac278ab07.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 22:14
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 22:14
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2780
    • C:\Users\Admin\AppData\Local\Temp\EB49.tmp
      "C:\Users\Admin\AppData\Local\Temp\EB49.tmp" \\.\pipe\{D334B4A9-3F34-4E23-BB95-8D99E433F98F}
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EB49.tmp

    Filesize

    55KB

    MD5

    7e37ab34ecdcc3e77e24522ddfd4852d

    SHA1

    38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

    SHA256

    02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

    SHA512

    1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587