Overview
overview
10Static
static
104b5d342b8c...86.exe
windows7-x64
94b5d342b8c...86.exe
windows10-2004-x64
94bb452a3de...a3.exe
windows7-x64
104bb452a3de...a3.exe
windows10-2004-x64
74bbf1f33d0...4d.exe
windows7-x64
84bbf1f33d0...4d.exe
windows10-2004-x64
84bc17871c1...64.exe
windows7-x64
104bc17871c1...64.exe
windows10-2004-x64
104be84836f6...c8.exe
windows7-x64
104be84836f6...c8.exe
windows10-2004-x64
104c2f38b994...d5.exe
windows7-x64
104c2f38b994...d5.exe
windows10-2004-x64
104c948e4226...26.exe
windows7-x64
104c948e4226...26.exe
windows10-2004-x64
104ca1d61a24...2e.exe
windows7-x64
104ca1d61a24...2e.exe
windows10-2004-x64
104cc3e6fe69...22.exe
windows7-x64
104cc3e6fe69...22.exe
windows10-2004-x64
104cf9706999...8e.exe
windows7-x64
104cf9706999...8e.exe
windows10-2004-x64
104d8cd82fa6...d5.exe
windows7-x64
104d8cd82fa6...d5.exe
windows10-2004-x64
104d947659fe...19.exe
windows7-x64
104d947659fe...19.exe
windows10-2004-x64
104dac62ad00...ec.exe
windows7-x64
104dac62ad00...ec.exe
windows10-2004-x64
104dde57eed0...7b.exe
windows7-x64
104dde57eed0...7b.exe
windows10-2004-x64
104e1fdde317...d3.exe
windows7-x64
104e1fdde317...d3.exe
windows10-2004-x64
104e248cce2f...a7.exe
windows7-x64
104e248cce2f...a7.exe
windows10-2004-x64
10Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:10
Behavioral task
behavioral1
Sample
4b5d342b8c5a5b19fac86b1315802786.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4b5d342b8c5a5b19fac86b1315802786.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
4bc17871c10bb28c4e2b5e2f1d9e4664.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
4bc17871c10bb28c4e2b5e2f1d9e4664.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral9
Sample
4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
4c948e42267877c379b01be5faa66926.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
4c948e42267877c379b01be5faa66926.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
4cf97069999c57b9ff02fc34f4efbe8e.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
4cf97069999c57b9ff02fc34f4efbe8e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
4d8cd82fa6662df02eb5af2abbf815d5.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
4d8cd82fa6662df02eb5af2abbf815d5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
4d947659fef83a302fd6b7451b980b19.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
4d947659fef83a302fd6b7451b980b19.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
4dac62ad007ffed0e0d4b738af6da8ec.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
4dac62ad007ffed0e0d4b738af6da8ec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
4e1fdde317913d69f35aa03397b5ded3.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
4e1fdde317913d69f35aa03397b5ded3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
4e248cce2fb9b5f155ca62d21c6e9da7.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4e248cce2fb9b5f155ca62d21c6e9da7.exe
Resource
win10v2004-20250314-en
General
-
Target
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
-
Size
650KB
-
MD5
f6276c3c25982a59d17cced52b409e2f
-
SHA1
61025476f38e1a9bd29721014c76cc03d27f145f
-
SHA256
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5
-
SHA512
a128ca1cd21b9e22b3173d5d0ce2015c492f271dc3a70af095a632c05bdb264261969ebefbfcc21c921022a08829f043c85ebaf075e0f34e2f532438220fda6c
-
SSDEEP
6144:BtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rfc:r6u7+487IFjvelQypyfy7fc
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Boy12345#
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation app.exe -
Executes dropped EXE 3 IoCs
pid Process 4216 app.exe 2372 app.exe 5272 My.RawFile.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 checkip.dyndns.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4216 set thread context of 5580 4216 app.exe 102 PID 4216 set thread context of 4884 4216 app.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language My.RawFile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 2372 app.exe 2372 app.exe 2372 app.exe 2372 app.exe 2372 app.exe 2372 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 5272 My.RawFile.exe 5272 My.RawFile.exe 5272 My.RawFile.exe 5272 My.RawFile.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe 4216 app.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe Token: SeDebugPrivilege 4216 app.exe Token: SeDebugPrivilege 2372 app.exe Token: SeDebugPrivilege 5272 My.RawFile.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5272 My.RawFile.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4040 wrote to memory of 4216 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 95 PID 4040 wrote to memory of 4216 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 95 PID 4040 wrote to memory of 4216 4040 4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe 95 PID 4216 wrote to memory of 2372 4216 app.exe 100 PID 4216 wrote to memory of 2372 4216 app.exe 100 PID 4216 wrote to memory of 2372 4216 app.exe 100 PID 4216 wrote to memory of 5272 4216 app.exe 101 PID 4216 wrote to memory of 5272 4216 app.exe 101 PID 4216 wrote to memory of 5272 4216 app.exe 101 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 5580 4216 app.exe 102 PID 4216 wrote to memory of 4884 4216 app.exe 103 PID 4216 wrote to memory of 4884 4216 app.exe 103 PID 4216 wrote to memory of 4884 4216 app.exe 103 PID 4216 wrote to memory of 4884 4216 app.exe 103 PID 4216 wrote to memory of 4884 4216 app.exe 103 PID 4216 wrote to memory of 4884 4216 app.exe 103 PID 4216 wrote to memory of 4884 4216 app.exe 103 PID 4216 wrote to memory of 4884 4216 app.exe 103 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe"C:\Users\Admin\AppData\Local\Temp\4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Users\Admin\AppData\Roaming\My.RawFile.exe"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5272
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5580
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4884
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20B
MD5b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA2567a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA51209b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316
-
Filesize
142KB
MD55a733ef0de5e31e2e4b4abb016c0f251
SHA128644040a6deac35c20fa931b5d003a97293363e
SHA256a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA5129d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9
-
Filesize
659KB
MD5a1ee959e3bd328a156c263519ddf28aa
SHA12109fe59148cc488152e32deb6c2f082933c23f2
SHA25632ed0ed506b56d6fe258cdfb17fee9e84621418a11d1bdd41ba3af9a4e27bf3e
SHA51214d6b3a4157011207fc6d24bd1834904b9476303dbaacbe18d9cc3261b0a3884e4fb8f6a6c383f263bc04a2d679b56892c964634268bd6c243034792d7ce0888