Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 19:17

General

  • Target

    1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe

  • Size

    124KB

  • MD5

    0d44e21cc26806ba9cefb553fd25327e

  • SHA1

    4039bc7941bce053c73d41df50a8267eaeded1f9

  • SHA256

    1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227

  • SHA512

    170c1d68c59dbf7b8d4eaeab14f15a4d5e2611f0f34408f9828ed96ce1ff5a34972d3cba1a11d1a4f9fc62a3089ec17b5bd07df98eced11a8a8135cdc8278e4c

  • SSDEEP

    1536:s1qcQMheJwmbKSyVfwT5xvOt0rPQ4llm6JMBtD4iJu/KS7b9qrFaiAOa0kHNPVe2:e9hYUMI44Vu/fv9YpnUpVky

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe
    "C:\Users\Admin\AppData\Local\Temp\1cfe1a7aba823646997f3f2c5bd65eedfa8801566ceccce758637d1baa15a227.exe"
    1⤵
    • Modifies firewall policy service
    • Adds policy Run key to start application
    • Sets service image path in registry
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    PID:2676

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\msrpc.exe

          Filesize

          124KB

          MD5

          9e4fc5458e8c6538130bfdf13f46ce45

          SHA1

          a3bb4a1598f2162a88351f5f78a49660e54b9c52

          SHA256

          612b3f592a79e685c5699ea5e0f75514d1e15bb576f4633150dd21d9da560a0e

          SHA512

          36e4688c89ce4126de2effbccd52e760c8380d443c09ad0258627f599964d813dcdab0b58ce841d5189ba128e1fa39167ba8204f90143fd18b9b418062908f1d

        • memory/2676-0-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2676-17-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2676-22-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2676-24-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2676-25-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2676-26-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2676-27-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB