Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 19:15
Behavioral task
behavioral1
Sample
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
Resource
win10v2004-20241007-en
General
-
Target
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
-
Size
13KB
-
MD5
224c306b78a6e3fb7d042c3be3888790
-
SHA1
048d839a99a4d8228a7fde54fe2b95e8c4e09999
-
SHA256
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc
-
SHA512
44d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541
-
SSDEEP
384:tv+t/QgBssNSvNSV+EVeFuKk/RetkMHvLYYx3ppg:t2h/EEQ0VKkJedYH
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 1 IoCs
pid Process 1636 videodrv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" videodrv.exe -
resource yara_rule behavioral1/memory/3056-0-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/files/0x000d0000000133b8-7.dat upx behavioral1/memory/1636-15-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/3056-14-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1636-16-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1636-102-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1636-127-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1636-128-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1636-129-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\exe.tmp videodrv.exe File opened for modification C:\Windows\zip.tmp videodrv.exe File opened for modification C:\Windows\eml.tmp videodrv.exe File created C:\Windows\videodrv.exe e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe File opened for modification C:\Windows\videodrv.exe e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe File created C:\Windows\videodrv.exe videodrv.exe File opened for modification C:\Windows\videodrv.exe videodrv.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language videodrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1636 3056 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe 30 PID 3056 wrote to memory of 1636 3056 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe 30 PID 3056 wrote to memory of 1636 3056 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe 30 PID 3056 wrote to memory of 1636 3056 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\videodrv.exeC:\Windows\videodrv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
895B
MD591c3cdc1653ba5675ea4df74281f469c
SHA1114a183104130407751193c8c4423e72af2bd8ca
SHA2564f0839ef8ef74df631cd7a0d83228c90810f420092d3cafc8e68b48c7a17f335
SHA5124f764c4e4934c8d467208ea25fb557d76d8ceea9093863718959ffabdd8b979bc46927d26b033f1b861c144e0cb804c946a0b3fce6dd39961cb415b18fc0e0e6
-
Filesize
13KB
MD5224c306b78a6e3fb7d042c3be3888790
SHA1048d839a99a4d8228a7fde54fe2b95e8c4e09999
SHA256e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc
SHA51244d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541