70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c

Analysis

max time kernel
157s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe
Size

2.7MB
MD5

87b102061060f5b834531edeefbefecb
SHA1

11bbe969b477e7047c42612486ad1aff852afe6d
SHA256

70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c
SHA512

1a52a26074b7dc1eaf9ede19267d9ad3249da5ce5061b8cf82af1d66caeaac16afb84aa71ff90b548f437daa08fb0d4524001b12b88799b2796eba1faa3ce292
SSDEEP

49152:WDsiUv5X9oaKDoiNmCSDhTL2iJerlSemI2tr9ZOW:WDi5toaKDhNmpvJerlSHVLU

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 4 IoCs

pid	Process
1644	ybDE69.tmp
5064	setup.exe
3776	setup.exe
1816	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3052	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2920	3052	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe	89
PID 3052 wrote to memory of 2920	3052	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe	89
PID 3052 wrote to memory of 2920	3052	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe	89
PID 2920 wrote to memory of 1644	2920	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe	94
PID 2920 wrote to memory of 1644	2920	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe	94
PID 2920 wrote to memory of 1644	2920	70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe	94
PID 1644 wrote to memory of 5064	1644	ybDE69.tmp	98
PID 1644 wrote to memory of 5064	1644	ybDE69.tmp	98
PID 1644 wrote to memory of 5064	1644	ybDE69.tmp	98
PID 5064 wrote to memory of 3776	5064	setup.exe	99
PID 5064 wrote to memory of 3776	5064	setup.exe	99
PID 5064 wrote to memory of 3776	5064	setup.exe	99
PID 3776 wrote to memory of 1816	3776	setup.exe	100
PID 3776 wrote to memory of 1816	3776	setup.exe	100
PID 3776 wrote to memory of 1816	3776	setup.exe	100

C:\Users\Admin\AppData\Local\Temp\70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe
"C:\Users\Admin\AppData\Local\Temp\70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe
  "C:\Users\Admin\AppData\Local\Temp\70bb51975b5964023ce280ccb94f24fb9c3e899d9ee36e851240bee45b186d7c.exe" --parent-installer-process-id=3052 --run-as-admin --setup-cmd-line="fake_browser_arc --abt-update-path=\"C:\Users\Admin\AppData\Local\Temp\57e4663f-a354-4191-8646-f887618fd6fe.tmp\" --brand-name=yandex --create-alice-shortcut-in-taskbar --distr-info-file=\"C:\Users\Admin\AppData\Local\Temp\distrib_info\" --make-browser-default-after-import --progress-window=328140 --send-statistics --the-interface-availability=190411288 --variations-update-path=\"C:\Users\Admin\AppData\Local\Temp\10ae4e67-8bd5-459e-b5a2-4a73089bc2cd.tmp\" --verbose-logging"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\ybDE69.tmp
    "C:\Users\Admin\AppData\Local\Temp\ybDE69.tmp" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\57e4663f-a354-4191-8646-f887618fd6fe.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=21 --install-start-time-no-uac=500864911 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=328140 --send-statistics --source=lite --the-interface-availability=190411288 --variations-update-path="C:\Users\Admin\AppData\Local\Temp\10ae4e67-8bd5-459e-b5a2-4a73089bc2cd.tmp" --verbose-logging
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\BROWSER.PACKED.7Z" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\57e4663f-a354-4191-8646-f887618fd6fe.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=21 --install-start-time-no-uac=500864911 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=328140 --send-statistics --source=lite --the-interface-availability=190411288 --variations-update-path="C:\Users\Admin\AppData\Local\Temp\10ae4e67-8bd5-459e-b5a2-4a73089bc2cd.tmp" --verbose-logging
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\BROWSER.PACKED.7Z" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\57e4663f-a354-4191-8646-f887618fd6fe.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=21 --install-start-time-no-uac=500864911 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=328140 --send-statistics --source=lite --the-interface-availability=190411288 --variations-update-path="C:\Users\Admin\AppData\Local\Temp\10ae4e67-8bd5-459e-b5a2-4a73089bc2cd.tmp" --verbose-logging --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=562271072
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=3776 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=23.11.3.969 --initial-client-data=0x33c,0x340,0x344,0x338,0x348,0xd6a8a0,0xd6a8b0,0xd6a8bc
        6⤵
        Executes dropped EXE
        
        PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
067044573f568c04eff48d756ce6f79c

SHA1
3367580b9be003a703118ff1ef82712584b09112

SHA256
a7f998ccfd6f622ac27156fc73b5c88059e0584cb509ca287a0bb4e38c7508a3

SHA512
1c72395b3a2f7d2a7104d941939f35e7e978364a519249f53d9543d8800729ac732d9a715c8f267603d47225d410577774b9013a8d5f7c68ffebbe549163fd8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_AC1EA69C1A4D607F0EBBD26E5ED61054

Filesize
1KB

MD5
4f261a4fce86102314794614c48f7153

SHA1
5ce24e63e4f7cbbec63c61ca6d4ab06ed33d5c01

SHA256
1bf73c9addae0877bf6798d19ddbc375497825265fbf0353ce57487706666d5c

SHA512
c15d529670419f3ceba2261a146a49574913ac633df634bfa086253e024c07bcdf774dd5efa77cd1e583c7002dac2b0bd67aaa49d3fdd3ee08fb7236360e2c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
73602e2d103e2105c9ff162ca18e63cf

SHA1
c194e313d4b1706e99d9fe2360862c636f4cfb85

SHA256
3403c824ed81b04f20be1869c0cc675d96f35add7e58d80f19352941c1d5c75b

SHA512
36c1665437e82457745c95abc8e437849d5e2e275537cce58e2d7ea475f706a5ee17aab87470f769b1858cadccdeb090dbd9adc0a9d7b74e19a69f3f46260a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
8f81cd6efe99b4905abffbda3c176e6b

SHA1
dd8bfb2df37b587b7a656a2ef25f39d186674107

SHA256
5292a56d31ebf043bb33f7bde982e50ee51f806e14be80a10f29e83fa515e4e8

SHA512
912234e5122eed075fdef71ed15a901fba5a9d348ab04cfbd199da18b012b2fcbf281a51a2034a3c759b51316344858bc6c05f09caebe88296068360a7a20bcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_AC1EA69C1A4D607F0EBBD26E5ED61054

Filesize
532B

MD5
604ef134630f4fe1c6419c40ea156d75

SHA1
abf099028a3f8c78fef85145c4f8a41508855e8e

SHA256
99bc9dfd47379d60cf4b4ba5f2330680bd12f6dcb753cf43ae61da58f0f4c445

SHA512
f26aabe382b3407f2602643759a4bf1c1ab9e82e529312f56de7fb45c688c6fa39b88f89e104ab23114a2288c8cc1fd541ad83995e6e8539ce4c02275ac0fb2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
e8b4a651f9889f6edc5b208f08aaaf28

SHA1
e1c7ba02a216de828e61092a8396cd14cb9fcc33

SHA256
3f9b2fec54806c75560818255b635cbdde12dac4dea76989fe08c3d0fc73fdba

SHA512
7b3f009123082b59ca2398598af964d288411b6ba5dfa6736439bd22407a08e8352ea79dabc09645491e8c2b5de454dd334013c401467da59b4cdcff9b65a96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\BROWSER.PACKED.7Z

Filesize
105.6MB

MD5
126b80e39482638fe545f8ec825199c6

SHA1
01c32c5f2fb4438bd34605fede0695254f1f4d52

SHA256
4c8e4ea6e6953d3453ba271440e489a760533d3102528573f8872a8d4e4a5d56

SHA512
199b131fcc47480d1dcb24f877929523c123cd5dd7250713b6346e7d70eee23c4b08f3b5331db4d98c5559d8d4e2d9fa48350b9adb7f36d72d5d43a7a8d9b2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_59525.tmp\setup.exe

Filesize
3.9MB

MD5
dd06adfb3277487e9325cc5b3717a8ea

SHA1
66d47cd605adab1073d4bbfd3e8df8e1d04750cf

SHA256
fd4261cc61b6c7d2732d177fb7e0372fdc277636ccda06819d447a2794aa6cc3

SHA512
2162ea46f9fdac2decbb2c10ba7d5cd3b3428f69d5c391dd09cc376c382d1b16028d2c90d82123f5b2d67e6a7e8bf9a646d145955df727ac4590e56ce6b4bc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\distrib_info

Filesize
313B

MD5
0441027090b322550576a507d0753195

SHA1
4da065daf0bc0ce375e1dcd45371d404e7458be6

SHA256
8f6ea2c495c3f607b67c917b9e9d4bfc800ae804b522d2ace458513780fe8305

SHA512
9cd7e82bc61b05d2d54a50f18adeab8455f38f77cc9873225df62fd21c868113eda583be16c0c67cf0328813471e47c3165daae07f2447b23b8800200014c4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
1KB

MD5
1ac3f4106cdc960dd4bbcb81baea57fe

SHA1
cc40564cb795cbfe92675120800fec960a0f1696

SHA256
bdd32cafd98074246005f99c6e7548c45cdff0840e324eb5c7c0d36ae3d3d7c9

SHA512
a6cc96fbd65d55611c25144f40b4d9474830cbdf989b1cb06a1b5fca535c3fd1c3293808b48ebd28ec444e71bef017e1a4b7a20563418e5f3cb61673f036c373

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
13KB

MD5
e03957d8388c249a39d4751226f5c82c

SHA1
3ce54bae1c2f54e234e0c0808fb34e8e7e1e15ce

SHA256
6450f3ed3154a1e2d5d306711eb16c87a440601b023d34d1d7278ff9110a81b7

SHA512
cda7bb83a7179f1775004787c2fac733483cad0eeb537d19a56d04dbacf983697240e78129d23905364b36f7d73cfdbb5f39467b6879c161d35736cab823dfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
13KB

MD5
ec6c3c229fbe2118e03469bda6decd94

SHA1
97553a291a0aaa5c2af4ff7d9c6ccd3932c73047

SHA256
c3f2ee397083fb114f7ded38e7ebffc4a413b22ef4038386ae57fb4b88ac8106

SHA512
2c727154368ebcdc4d3f03915c77f5d5220eaf801cead6ce65d6b7ba2f0b11cae7b9cf88f71c1506be22641dfe72b2bc1effe7752cfdbcf64b20995a83741ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
4KB

MD5
9da96a26f2561a5d35889c1604ddcfe1

SHA1
98324f966591b9a91f992fc2dba3d810ca52ced7

SHA256
731ad08439753731ae914f70509a266ab945f9c52e254f0b86ce782d064d5ef3

SHA512
2c2b35fca1ecd0d271cb31676e93228f13c2a32af23a8020aad2b59256d1300ba962e2b6157d7ad3d707eaf7f6ba4d5289a59b5cc75f1960077f7fbe7e37f35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
25KB

MD5
fab4807151492b26fd26db2e9f7a31f9

SHA1
70eb4b3299545b0a2f34ea43d3d00aa1eb753238

SHA256
00d0d15cc964b44c98d507be91c3900baadb1c6bfb1508d512cae55cda721f3b

SHA512
6fa5cbaf7efe994fd50356a865100a9c4a2356a759a878eb14ba3cebca049ae4b5dc69fbcf358a2ef93a5f9c82957d95d05364e4fbe8bb8519c576a52fb08178

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
25KB

MD5
d416ce717b03efeb5e734469441e92c4

SHA1
1a16be4b62f9d463122ab61514333a9c1c3aedad

SHA256
9d463029e6745957f3ee0a49cd4e9ab5a32e439ba6bbb741cc9fc58966b7c261

SHA512
5d9aa810456c69373d24666709aa874cb965de5aef5b0af9623670688fec966a4a38a0765d08d7eb3ae2f1075a284780101d3af5133f162d6deb7ac7c63bfb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\master_preferences

Filesize
111KB

MD5
86be258e34d5124f0f2e8db9ca78975c

SHA1
d6b16890b23ba324be0949e3de31bc97b6e36db3

SHA256
de32426ea614389b4d0148e79cbd22ea19f6498dce8b59d1a066da5030d64ed6

SHA512
43b2390573a28a2f199a2bc143634de26a5923777a19918c7f5b0858976eedb220aaaa5b1027ce2179fcbbdb478c52a6ec8730b50716cfc4832aec423d0f5438

Download Submit
C:\Users\Admin\AppData\Local\Temp\yandex_browser_installer.log

Filesize
4KB

MD5
e54ec4c8c9286baca726f14c71c7ec44

SHA1
78041275bb49d3409ab9085153c044d5dda29b5d

SHA256
ad4928667a78d5e3a1107cb0f096dda663b59a2d317150231c41aab27fed8465

SHA512
2132022590a0cfe0ee87d7e9de6845e6cf8807150f31d56d5eb01297ed86110de14f22a2998cbedf1f4b6d666e6cdcb27542d40ed9e5b8df7d3c85c060afe9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybDE69.tmp

Filesize
141.8MB

MD5
8bf6d9620337d2246a9f945cf2ef7460

SHA1
2bcbecda7d2816aa3135729bf19c1786d7ffe32e

SHA256
f6c2724ac76a33d0e412f176e02d6614f13f7bf5b94912e833ae379abb149a99

SHA512
bce2d0e2e4ecc9593452824bbf0ff41ac6a63c49e8e3a39556a9e070a25a206f0df97e196aaa02ba56881ac1ab4afd974499eae96af1406f38abc5717ec979f7

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
a2c7eef464dd875a67b89619e721e50c

SHA1
1f4476785dce6f7974003cc25d1e5f21768b5ac3

SHA256
d77dd2b7d1beb6f2314e9c0f85701b3a9decc283bfa33dca97212d3957e0744e

SHA512
38e5fd77875b2a26ccba4071b2bf59a008bbf71eaf98d6b83cede38ff650554f41a2ed765744bbb786509fec18c52a5b165225c635ed4e4dcd1e8513bc9aab04

Download Submit