dcb19b7de3a9b4f70a0dd5ae2cec07f108dd2be85bad88af3f96e2c827729b02

Analysis

max time kernel
4s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
10-01-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WatchRPC-3.3.0 Setup.exe
Size

104.4MB
MD5

3c138da6072dcae013b8a4908c86deee
SHA1

4446962ee2d0e21e48a0e88ab2d46a86569d0cf8
SHA256

dcb19b7de3a9b4f70a0dd5ae2cec07f108dd2be85bad88af3f96e2c827729b02
SHA512

ffe45c779d3ebdabd260ce4cb781ceed93e6f4d215ef92d7d993602e0e1910574b4dac3b5cfc6040cdd8df3fced1a4b7042c1b5e51fa3fe529385260d58620cd
SSDEEP

3145728:bFZG4XLhiJLGXzFSp69lJMykR2wqljnj3R:bFZBRXJSm4ykYwqb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 2984	3388	WatchRPC-3.3.0 Setup.exe	57
PID 3388 wrote to memory of 2984	3388	WatchRPC-3.3.0 Setup.exe	57

C:\Users\Admin\AppData\Local\Temp\WatchRPC-3.3.0 Setup.exe
"C:\Users\Admin\AppData\Local\Temp\WatchRPC-3.3.0 Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  PID:2984
- - C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    PID:1248
- - C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe
    "C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe" --squirrel-install 3.3.0
    3⤵
    PID:432
  - - C:\Users\Admin\AppData\Local\watchrpc\Update.exe
      C:\Users\Admin\AppData\Local\watchrpc\Update.exe --createShortcut=WatchRPC.exe
      4⤵
      PID:4476
- - C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe
    "C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe" --squirrel-firstrun
    3⤵
    PID:4964
  - - C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe
      "C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\watchrpc" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,243049749582692294,9917657746906096485,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:1488
  - - C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe
      "C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\watchrpc" --mojo-platform-channel-handle=1960 --field-trial-handle=1644,i,243049749582692294,9917657746906096485,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:1424
  - - C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe
      "C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\WatchRPC.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\watchrpc" --app-user-model-id=com.squirrel.watchrpc.WatchRPC --app-path="C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2224 --field-trial-handle=1644,i,243049749582692294,9917657746906096485,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
92KB

MD5
feb12f8e4705725e1f7ea76ad43645f0

SHA1
47c12673aefb060a3bec09367f6d5f2922fddba6

SHA256
4273f4499de750e808e3f6abe35823d0c2f386c2fb3150288cb3d5ee3bffb925

SHA512
a3575ccdf628cd653c8df0252bce350c676cade8d96d689f2d5bfa6c303e190e04674f4f2f9053803a12b592ac847f92482b15b3b1fbe21d58432ead0711b54b

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\index.js

Filesize
296B

MD5
c4496645a3cadf59790b9a7749e5ad21

SHA1
b5b573008ba06d39aaaf7cdc32fa8cde43e82cd2

SHA256
c2b0c9905540a51acb276523bb024ef3c11bd118b03a90d92962080ebd07fec9

SHA512
7905cf7ad79ae3db830a0a249fd43c6a359b24e1295e1ce3b0e0999172183e28ca208f877bf38049411918d431f2277c6f1f1458f538884cc03ba2b4093e4277

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\buffer-util.js

Filesize
2KB

MD5
2ed1f17240b5ae668e59ae1c309a3a1e

SHA1
e76c66ba76f2f3a59bdcd25cbe41df4d9d15e8cc

SHA256
da2088dcfa847be2b26a0c4fd46480e2a787b3120bcaceb98555654bbba53631

SHA512
0e43c223d75f542d1b7114a65c2e14fb2a169561cf544558581ec1afcfc38703fbf5a0295201bb2dc5127386d3a8c7ca046227888e27ef404e38f7e7ef3042bf

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\constants.js

Filesize
268B

MD5
9f6cd33d0d1d7945e8b34b4a9d18ad46

SHA1
2a8c95ea6c7c81be85ca73a079c4aa5956f22c89

SHA256
2c2e8f6abbb7c2314d5736ef0a8d11f04ddc3cf4faf1c710df5d75c4170e937e

SHA512
218188388e9770b4525c25e43d71cbe35f8d0f255c27473a5d4c0b0722a2e765135b54818db3652b1a9447f490624e1d9c57dd13cf467349beca4a17c90c3c76

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\event-target.js

Filesize
4KB

MD5
dd5f500196a86e842166b5e4b39360bc

SHA1
3406adb42022feabc0f4a3c97e01257b99061ac1

SHA256
6bad3e83c4a8f113cfc40ef2757ecbc727e67c5e16ea8447cdc6e12af2b1554a

SHA512
7ab283e3a4a42deaf734f0e0a0a676ed73b0db6aa1d1e1da1a641b7d5a13f3f1f520b880362af38c67da291ed6aba3c21aef45fabce6bfd22e808747b6da5b60

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\extension.js

Filesize
6KB

MD5
ba3602395024803c5cc3a285097bcc21

SHA1
1caf01f7c99267f3b86b5e2fa23da859288dfb95

SHA256
13b228a92d2dad9d1bffd09faaae6b64bfc1f713dd966010ad479a901c243a86

SHA512
a1cb02660f66d8bf6fc433f3df1424705c76bbac83e65e7a6b5de3aadcf225b496a784776bc350bd96590e77b61a22cbd75defa7fde1cd2a1d6863f0a70e8ff4

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\limiter.js

Filesize
1KB

MD5
7b8a8dc5be27a1bd1a39544cc28ae73e

SHA1
d56ca70e1a496b15e1cc90ac740679d7a6c37eab

SHA256
e0469d4b83f6ba764b15f80e1766b75c136fbff68f048f4c050f0b1c7f065f69

SHA512
1c1731373a93c3d7f27dde4b6e06565d013ec7fdf6714ec3e1f5844752059a0790e4bc571f20301f45dc63a55e9129e304ecf3551791370c40152942caecd574

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\permessage-deflate.js

Filesize
13KB

MD5
01ff3fc10c117049057447b4e35054d1

SHA1
d16b968eec187eff7549dec623e4f82dc7e27f1d

SHA256
3bf41b9b2d3b9315f1f58b732d27ca48840b50f7991d4f90bd5d765cee92b216

SHA512
66687a4282100c15776e12146d990714a4ea2fc1443c86239b470497e3ad80813de51facbc77d93f3a1713426ff48adaca589a4151270425116c3c8640791872

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\receiver.js

Filesize
13KB

MD5
263361006572ba833d2191b70a13ec33

SHA1
42a9f03f5dca98df47f86ded865657846b32524b

SHA256
b448ecc5be450d49b2dbcf65eab7dff719dd02924f3da1bd6889fd9a76c2115a

SHA512
f471dc6f294be904084fff973e18e04cf376be7238c60ba8f64a99d6cc7fcdcd9a66206da10f2fac109c330209267d86ccc4eaa14c8aae6643058f1ff1d62f7f

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\sender.js

Filesize
10KB

MD5
5701c9b30e5a64756f6d3729d67927b9

SHA1
0d3708396ce6f38c0e39459646e46decac24c710

SHA256
6a712c13b94ba77bf33a06859a86f3db5513943cef65997587f096796822e627

SHA512
d83f93f1abb22b98b78faafc3bf2482f34a539ecd14a2a32847a44f07baee968cfbda8ee9deb0ae1e1b707f2e34aaeb829ff01231f3f3b1e100453c95d800849

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\validation.js

Filesize
2KB

MD5
4bcf7dddeaec3ec8092d3c40e1d1e107

SHA1
4be747258a0629e840191520eb17c4dde074db48

SHA256
257923e54135f38ba66cf9129c02765c448efa2272e710844b3923b879605e18

SHA512
ea56ba9ef0e53248667091f6e6d0574fca456100878adf0c7c3b974a54664af16de504287c0da701d518d4a83be2c7a77e4d4ffcfbac899129f253434b35c9ac

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\lib\websocket.js

Filesize
30KB

MD5
726e5c80d7b252d1e53dd51a4fd8e9f8

SHA1
6667f523683d6b46ab407465fb7131aede865859

SHA256
b79f686dfb84e904e6ef5542c6b2abeec708dfc535fb46f88c500e716aeafaa9

SHA512
641586671f489f50fbbb7a35f265c9ee0f77559869d39144c209b656dc1149248b654cc978d03bbb35d58d66dcbd39f428730ad38c959cccf04e0687d3e677c7

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\node_modules\ws\package.json

Filesize
1KB

MD5
663069419de2af3783f805f4eec84d11

SHA1
c5ae08d08d6196f20d1e2248109917ed8ff89b70

SHA256
4f91bff5a6bff9a2e367b3764673a9ac9c927e097e5bf809946663f005f3dd8a

SHA512
c5676fed639465b366c0d5c46d5938db9ae123d7126b8f407b3effbadb318986a5ff2a16de04a96024714b85113df7fbd4fe086e5e75e268194dc2f5c9ef74f6

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\src\constants.js

Filesize
3KB

MD5
d8c53237370210cb540c816d2c3231ba

SHA1
0fc4c54864015e5f97ef5995f4128c7937bef0da

SHA256
174db6e530abb29e1d2705cfbf43569e35f1972176e8c4ed405f8ee6e63dfd0b

SHA512
e7314e17042b8a9d8e9a283ee40fd67711a718bd838780d66cac7e02250c2fd27151326a2ebc6a621cd1ee85be51f875c2a94c7eef1f5f17d7ed8e26ee556ca8

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\src\transports\index.js

Filesize
99B

MD5
2f7688f275a929f322478d9c7655d91b

SHA1
8613f4b6f7eec12cc5bdc0e646900ef795b35dc9

SHA256
293dd7ea565428ac11311683763713b0b7f76e6ad2d1adfe91fe1b410494b678

SHA512
0611ecceef0b76b47e16c8f0a330e8b4d98d6c1efc527f8cad3d51636f4aa17b370d3f181d414a22f5a6add78ee6bcf4ab10a9f523d1d0ea1d13e2e49d163e07

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\src\transports\ipc.js

Filesize
3KB

MD5
cdf4dab7acdb1ddaa2764de1d5f2c36f

SHA1
7bcb981ad2ba62e4ec76de7d4fc65abc3edb92f2

SHA256
00c165347303edb40a65340910c2157f79be4e5a9d3440cdef8db0e2e4891dcc

SHA512
5e1b958c8553d878588479675514f36ef1e0cc06b9b5601fb0df4a784e87274981158911b152fdc50cf2436943c0b85990c7f7402045f6ea94f00fc724baa541

Download Submit
C:\Users\Admin\AppData\Local\watchrpc\app-3.3.0\resources\app\node_modules\discord-rpc\src\transports\websocket.js

Filesize
1KB

MD5
f7556481579c5bb049b37dc750cf7218

SHA1
bba42d819edf9c66e3e9d3df5f31b20b4b330f0f

SHA256
5b97b43cd54354dda86e7e813ae412c21a6d75d5797e36ad1d68cec5f19c04bd

SHA512
83dae814d14d081ccb822d9d245aeda3e26b659cff8a1cdd4c1b4344fdc6725c7c8a31b633727d03972e5f932d7d0952090d229fa98b45b576b037f419518a64

Download Submit
memory/1248-1046-0x00007FFCD0370000-0x00007FFCD0E32000-memory.dmp

Filesize
10.8MB

Download
memory/1248-897-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/1248-895-0x00007FFCD0370000-0x00007FFCD0E32000-memory.dmp

Filesize
10.8MB

Download
memory/1628-1055-0x0000025F9A4E0000-0x0000025F9A5CA000-memory.dmp

Filesize
936KB

Download
memory/1628-1021-0x00007FFCEFC20000-0x00007FFCEFC21000-memory.dmp

Filesize
4KB

Download
memory/1628-1020-0x00007FFCF0080000-0x00007FFCF0081000-memory.dmp

Filesize
4KB

Download
memory/2984-904-0x0000000002D00000-0x0000000002D0E000-memory.dmp

Filesize
56KB

Download
memory/2984-8-0x0000000000750000-0x0000000000926000-memory.dmp

Filesize
1.8MB

Download
memory/2984-10-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/2984-9-0x00007FFCD0370000-0x00007FFCD0E32000-memory.dmp

Filesize
10.8MB

Download
memory/2984-902-0x0000000029C90000-0x0000000029CC8000-memory.dmp

Filesize
224KB

Download
memory/2984-1034-0x00007FFCD0370000-0x00007FFCD0E32000-memory.dmp

Filesize
10.8MB

Download
memory/2984-1042-0x00007FFCD0370000-0x00007FFCD0E32000-memory.dmp

Filesize
10.8MB

Download
memory/4476-934-0x00007FFCD0370000-0x00007FFCD0E32000-memory.dmp

Filesize
10.8MB

Download
memory/4476-923-0x00007FFCD0370000-0x00007FFCD0E32000-memory.dmp

Filesize
10.8MB

Download
memory/4476-925-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4476-927-0x0000000000E60000-0x0000000000E80000-memory.dmp

Filesize
128KB

Download