Analysis

  • max time kernel
    137s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:10

General

  • Target

    4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe

  • Size

    650KB

  • MD5

    f6276c3c25982a59d17cced52b409e2f

  • SHA1

    61025476f38e1a9bd29721014c76cc03d27f145f

  • SHA256

    4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5

  • SHA512

    a128ca1cd21b9e22b3173d5d0ce2015c492f271dc3a70af095a632c05bdb264261969ebefbfcc21c921022a08829f043c85ebaf075e0f34e2f532438220fda6c

  • SSDEEP

    6144:BtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rfc:r6u7+487IFjvelQypyfy7fc

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
    "C:\Users\Admin\AppData\Local\Temp\4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Roaming\app.exe
      "C:\Users\Admin\AppData\Roaming\app.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\AppData\Roaming\app.exe
        "C:\Users\Admin\AppData\Roaming\app.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Users\Admin\AppData\Roaming\My.RawFile.exe
        "C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:5272
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5580
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log

    Filesize

    20B

    MD5

    b3ac9d09e3a47d5fd00c37e075a70ecb

    SHA1

    ad14e6d0e07b00bd10d77a06d68841b20675680b

    SHA256

    7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

    SHA512

    09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

  • C:\Users\Admin\AppData\Roaming\My.RawFile.exe

    Filesize

    142KB

    MD5

    5a733ef0de5e31e2e4b4abb016c0f251

    SHA1

    28644040a6deac35c20fa931b5d003a97293363e

    SHA256

    a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7

    SHA512

    9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

  • C:\Users\Admin\AppData\Roaming\app.exe

    Filesize

    659KB

    MD5

    a1ee959e3bd328a156c263519ddf28aa

    SHA1

    2109fe59148cc488152e32deb6c2f082933c23f2

    SHA256

    32ed0ed506b56d6fe258cdfb17fee9e84621418a11d1bdd41ba3af9a4e27bf3e

    SHA512

    14d6b3a4157011207fc6d24bd1834904b9476303dbaacbe18d9cc3261b0a3884e4fb8f6a6c383f263bc04a2d679b56892c964634268bd6c243034792d7ce0888

  • memory/2372-61-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-60-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-36-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-35-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-34-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-17-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-3-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-1-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-2-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-29-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-18-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4040-0-0x00000000748D2000-0x00000000748D3000-memory.dmp

    Filesize

    4KB

  • memory/4040-16-0x00000000748D2000-0x00000000748D3000-memory.dmp

    Filesize

    4KB

  • memory/4040-4-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-37-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-31-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-56-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-59-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-32-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/4216-30-0x00000000748D0000-0x0000000074E81000-memory.dmp

    Filesize

    5.7MB

  • memory/5580-52-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB