Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 19:15
Behavioral task
behavioral1
Sample
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
Resource
win10v2004-20241007-en
General
-
Target
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe
-
Size
13KB
-
MD5
224c306b78a6e3fb7d042c3be3888790
-
SHA1
048d839a99a4d8228a7fde54fe2b95e8c4e09999
-
SHA256
e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc
-
SHA512
44d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541
-
SSDEEP
384:tv+t/QgBssNSvNSV+EVeFuKk/RetkMHvLYYx3ppg:t2h/EEQ0VKkJedYH
Malware Config
Signatures
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 1 IoCs
pid Process 3340 videodrv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\videodrv.exe" videodrv.exe -
resource yara_rule behavioral2/memory/3608-0-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/files/0x000c000000023b1e-4.dat upx behavioral2/memory/3608-10-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3340-11-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3340-219-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3340-248-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3340-249-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3340-250-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/3340-251-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\videodrv.exe videodrv.exe File opened for modification C:\Windows\videodrv.exe videodrv.exe File opened for modification C:\Windows\exe.tmp videodrv.exe File opened for modification C:\Windows\zip.tmp videodrv.exe File opened for modification C:\Windows\eml.tmp videodrv.exe File created C:\Windows\videodrv.exe e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe File opened for modification C:\Windows\videodrv.exe e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language videodrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3608 wrote to memory of 3340 3608 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe 83 PID 3608 wrote to memory of 3340 3608 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe 83 PID 3608 wrote to memory of 3340 3608 e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"C:\Users\Admin\AppData\Local\Temp\e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fcN.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\videodrv.exeC:\Windows\videodrv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3340
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dd3d6f89a870a89599c3224ba2f77cde
SHA172471eabc5bd90688291e501d27faa58b8065d41
SHA256446432d1f0b4d0c102745a09a5265f991053adc3edc28360f1f4882834938cc6
SHA51221602bfa9da4e6632c0cbf97d08ffbeb5ce2415050d7c04ba8dbad5c4e72b30f0c225d563ad56d341580e04d64da24a551eb22af95d404a3790f19349e488d32
-
Filesize
2KB
MD503eaafad1ab97601f872c8cb20c9afce
SHA1758d17d6924a87d16388f03b445bad4739d3603e
SHA2560c8302216f046043fe7238ef1a00cba166a77fb85e9ab89dc1d7f9d178bcff6f
SHA51272f1a2ac56bac36d92b6875ca5b195e19d387c6ce0d92cadd0c596daaf3c2e16d3d9e8faafc0f7c1d9538a39c0355fc997d6db80897fd421bfa72c4e8ec8f30d
-
Filesize
3KB
MD5f4d0cfeae265e06a0de91365c9e73413
SHA14b651a48d37412c1849c181dea91feaa4c5f6a72
SHA256b80e48ff761536872ea8c220967834066ece37a74eae3634d39856be0464cba4
SHA5124be545394bb6284624405c759c5b7655161352d0e0a92a87b4178a57ae75de47c930c9499e662f98b4dcddb8371bfaa811c4bdb608bb37b994e17fb3e75b4571
-
Filesize
4KB
MD58a2ecd274bcc7ae885f6e8f2eab5a639
SHA15215b6dd17bb850fa19f73e1e01a72cdd012cb6d
SHA256a1f719a8c3b6061a5fa0481fc21b9908ddad9ca9e60cbf5b7e45cd1bf89225fb
SHA512c339c681561234c902503bf3040a3a84b4ebb99c754ecc682984acd11c9a9641f85ead5d599b7a958d3c68d5a330674c466cefa5d4ee88a1f77175dd1f1b1712
-
Filesize
635B
MD5b3a1ace3f7691d3795f2d59405add79e
SHA17b0f0794a4fc2f3f7596ebec298cfbe7d333f773
SHA256d814662cacb0d7bb84edd2f03713d1338303152d968f5bc9f31ea84f34fb2cb4
SHA512fd54826424d3dab1c66846b718e8f3efe0984c4c984325e8c9082e3306fbfcd2c700a50045a0b609dd6eceeb41825e8b756f7e5a4887706a876d085dc0cf75cd
-
Filesize
13KB
MD5224c306b78a6e3fb7d042c3be3888790
SHA1048d839a99a4d8228a7fde54fe2b95e8c4e09999
SHA256e96273076da36e229870ea1f812eba3a6300796e55bcc25c9fa85e39bf7632fc
SHA51244d8de49fef4d9a95123b0c2ef4cf9529f133b142c8cf875a5cd2fd6e5137239ff6e6c6de45ea6a8872ed308243dbfd822f64937e38eeb94d4423fe09cd21541