Analysis
-
max time kernel
195s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-04-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe
Resource
win7-20240215-en
General
-
Target
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe
-
Size
351KB
-
MD5
8f81cbad65802a563f4c6828ad59e382
-
SHA1
732d20205b2c7879a138bf89bae0d272166d8961
-
SHA256
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9
-
SHA512
072f837658ec1387cd44f9b4119b0fc52a67f8e5a8334c56fbae88de6564b9f65b313dfb473900e41a6989b33d3f02373aaf40f280b826f3f8bfe9251ecb1166
-
SSDEEP
3072:yk6yIlOwVEC7i+lv5e4nAFOkrDJmnKNJT3EfqBDTSIJ47faaV0OJrVZO+zuiGFZ4:KM2ECm+lvc+C5VQyWdGAiQmN8R
Malware Config
Signatures
-
Detect Xehook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2360-1-0x00000000009C0000-0x00000000009EC000-memory.dmp family_xehook -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2336 2360 WerFault.exe f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exedescription pid process Token: SeDebugPrivilege 2360 f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe"C:\Users\Admin\AppData\Local\Temp\f3811d1e3adf12256e3d60d5f83b8e4066d42de822cdd6da4c522c19737dcaa9.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 16202⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2360-1-0x00000000009C0000-0x00000000009EC000-memory.dmpFilesize
176KB
-
memory/2360-4-0x0000000005250000-0x000000000526A000-memory.dmpFilesize
104KB
-
memory/2360-5-0x0000000073DE0000-0x00000000744CE000-memory.dmpFilesize
6.9MB
-
memory/2360-6-0x0000000005770000-0x0000000005C6E000-memory.dmpFilesize
5.0MB
-
memory/2360-7-0x0000000005390000-0x00000000053A0000-memory.dmpFilesize
64KB
-
memory/2360-8-0x00000000063D0000-0x0000000006462000-memory.dmpFilesize
584KB
-
memory/2360-9-0x0000000006260000-0x00000000062C6000-memory.dmpFilesize
408KB
-
memory/2360-11-0x0000000073DE0000-0x00000000744CE000-memory.dmpFilesize
6.9MB
-
memory/2360-12-0x0000000005390000-0x00000000053A0000-memory.dmpFilesize
64KB