58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1

Analysis

max time kernel
152s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
Size

4.8MB
MD5

3cac4651ce934a43d65392a7e829a7fd
SHA1

b4c714c4706e707ffa1169f1f2b3544a609aa81c
SHA256

58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1
SHA512

9af0c99801ad057d23ae93daf2fa791b1458c64fff9500949ac6d61ee7cd40c6a20c2cf9cd6fd9c65f40e92e673e68717d448bc61512532f8313dbaccaff9cca
SSDEEP

49152:bf9ADg4ioiWuWekjXIKC38hje8XhDA4FYb+Ecv/6:yi3WulBKg

Score

9^/10

spyware stealer

Malware Config

Signatures

Detects executables containing bas64 encoded gzip files 1 IoCs

resource	yara_rule
behavioral2/memory/4068-2-0x000000001B550000-0x000000001B7BE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	fontdrvhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\SppExtComObj.exe	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\SppExtComObj.exe	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
File created	C:\Program Files (x86)\Microsoft\e1ef82546f0b02	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\5b884080fd4f94	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
Token: SeDebugPrivilege	4392	fontdrvhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4392	fontdrvhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2292	4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe	87
PID 4068 wrote to memory of 2292	4068	58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe	87
PID 2292 wrote to memory of 2580	2292	cmd.exe	88
PID 2292 wrote to memory of 2580	2292	cmd.exe	88
PID 2292 wrote to memory of 5016	2292	cmd.exe	89
PID 2292 wrote to memory of 5016	2292	cmd.exe	89
PID 2292 wrote to memory of 4392	2292	cmd.exe	91
PID 2292 wrote to memory of 4392	2292	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe
"C:\Users\Admin\AppData\Local\Temp\58f720c7664a0eea1e99b9293dffba1d45930a1ace26ba296ae81f461d5953d1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9oIsU0DSg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2580
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5016
- - C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe
    "C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe

Filesize
758KB

MD5
c2d123531dbf0dff0975e16ebdf085bf

SHA1
bcdb012fe8a11e13cdacb8998598324e60a38bee

SHA256
7a1ad15e868e6a32eb83484edd938e8d8c4c381f9f6fd0b660b899c84f98d72a

SHA512
06e9053df105704ba9d2fee4f3dc34a3d669fca9757de3b341d7657920b7d5075abe449ecca65b84f7591079b6c735ec1380061aed57efc33ad61cf351b2543d

Download Submit
C:\Program Files (x86)\Windows Media Player\Media Renderer\fontdrvhost.exe

Filesize
807KB

MD5
74a110ff3d1d35bdd90b9d24fbaed0e6

SHA1
48df3443edd6bc5940231ccea02e52f74ac12213

SHA256
75072506f3c0712aa14fb3469270742148ccecc5abffd9ac239618f8c9cb0f91

SHA512
3dc1a24e08203ef05475a931250683c803b316e790991ecf60153c177de1bed397f74ea099025cf03531f870ba17a24e826225c42dff26cb1110ef0545665eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9oIsU0DSg.bat

Filesize
250B

MD5
0b78deb4167bd5a41eaea9c2828d8825

SHA1
da4a31645050b4ab5c73248e0301cb2c7ed51c64

SHA256
4620d0514fcd12d4f9aec5d669a171f78f140ff6b9869b2b722aff2c7df55dca

SHA512
1112ef59514cd579dcc29b3a16e71f54af7670340c813da7915de963fddcbdf534bd9d23abc3f3ec77af9c6d707fc0287c1674e87763b6c341946cef948f50e0

Download Submit
C:\odt\csrss.exe

Filesize
320KB

MD5
99bb7c65093d972617fecde82766785a

SHA1
03269f15b52b198715d78a31ee2af9eca523087f

SHA256
e8902f4279a2d2534f5f849508ca0a4a4b62b37f77cdc28c2413da01a5733a33

SHA512
6ac72eef02492b986c00a3e12d3d030695921369abed46c442799fe1fec3b2306c882bf0ed6cc60a6c40292b94eb727749550e1abed32b4c578d03312040d6ab

Download Submit
memory/4068-0-0x0000000000440000-0x000000000090E000-memory.dmp

Filesize
4.8MB

Download
memory/4068-1-0x00007FF912680000-0x00007FF913141000-memory.dmp

Filesize
10.8MB

Download
memory/4068-2-0x000000001B550000-0x000000001B7BE000-memory.dmp

Filesize
2.4MB

Download
memory/4068-3-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4068-4-0x00007FF930410000-0x00007FF9304CE000-memory.dmp

Filesize
760KB

Download
memory/4068-7-0x00000000029D0000-0x00000000029F6000-memory.dmp

Filesize
152KB

Download
memory/4068-5-0x00007FF930220000-0x00007FF930221000-memory.dmp

Filesize
4KB

Download
memory/4068-8-0x00007FF930210000-0x00007FF930211000-memory.dmp

Filesize
4KB

Download
memory/4068-10-0x00000000011E0000-0x00000000011EE000-memory.dmp

Filesize
56KB

Download
memory/4068-11-0x00007FF930200000-0x00007FF930201000-memory.dmp

Filesize
4KB

Download
memory/4068-13-0x0000000002A00000-0x0000000002A1C000-memory.dmp

Filesize
112KB

Download
memory/4068-14-0x000000001B910000-0x000000001B960000-memory.dmp

Filesize
320KB

Download
memory/4068-15-0x00007FF912680000-0x00007FF913141000-memory.dmp

Filesize
10.8MB

Download
memory/4068-16-0x00007FF9301F0000-0x00007FF9301F1000-memory.dmp

Filesize
4KB

Download
memory/4068-18-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/4068-20-0x000000001B8C0000-0x000000001B8D8000-memory.dmp

Filesize
96KB

Download
memory/4068-21-0x00007FF9301E0000-0x00007FF9301E1000-memory.dmp

Filesize
4KB

Download
memory/4068-23-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4068-22-0x00007FF9301D0000-0x00007FF9301D1000-memory.dmp

Filesize
4KB

Download
memory/4068-25-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/4068-26-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4068-27-0x00007FF9301C0000-0x00007FF9301C1000-memory.dmp

Filesize
4KB

Download
memory/4068-29-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/4068-30-0x00007FF9301B0000-0x00007FF9301B1000-memory.dmp

Filesize
4KB

Download
memory/4068-32-0x000000001B8E0000-0x000000001B8EE000-memory.dmp

Filesize
56KB

Download
memory/4068-33-0x00007FF9301A0000-0x00007FF9301A1000-memory.dmp

Filesize
4KB

Download
memory/4068-35-0x000000001B960000-0x000000001B972000-memory.dmp

Filesize
72KB

Download
memory/4068-36-0x00007FF930410000-0x00007FF9304CE000-memory.dmp

Filesize
760KB

Download
memory/4068-37-0x00007FF930190000-0x00007FF930191000-memory.dmp

Filesize
4KB

Download
memory/4068-39-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/4068-40-0x00007FF930180000-0x00007FF930181000-memory.dmp

Filesize
4KB

Download
memory/4068-42-0x000000001B9A0000-0x000000001B9B6000-memory.dmp

Filesize
88KB

Download
memory/4068-43-0x00007FF930170000-0x00007FF930171000-memory.dmp

Filesize
4KB

Download
memory/4068-45-0x000000001B9C0000-0x000000001B9D2000-memory.dmp

Filesize
72KB

Download
memory/4068-46-0x000000001BF10000-0x000000001C438000-memory.dmp

Filesize
5.2MB

Download
memory/4068-47-0x00007FF930160000-0x00007FF930161000-memory.dmp

Filesize
4KB

Download
memory/4068-49-0x000000001B900000-0x000000001B90E000-memory.dmp

Filesize
56KB

Download
memory/4068-50-0x00007FF930150000-0x00007FF930151000-memory.dmp

Filesize
4KB

Download
memory/4068-52-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/4068-53-0x00007FF930140000-0x00007FF930141000-memory.dmp

Filesize
4KB

Download
memory/4068-55-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/4068-59-0x00007FF930130000-0x00007FF930131000-memory.dmp

Filesize
4KB

Download
memory/4068-58-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4068-57-0x000000001BA40000-0x000000001BA9A000-memory.dmp

Filesize
360KB

Download
memory/4068-60-0x00007FF930120000-0x00007FF930121000-memory.dmp

Filesize
4KB

Download
memory/4068-62-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

Filesize
56KB

Download
memory/4068-63-0x00007FF930110000-0x00007FF930111000-memory.dmp

Filesize
4KB

Download
memory/4068-65-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/4068-66-0x00007FF930100000-0x00007FF930101000-memory.dmp

Filesize
4KB

Download
memory/4068-68-0x000000001BA00000-0x000000001BA0E000-memory.dmp

Filesize
56KB

Download
memory/4068-69-0x00007FF9300F0000-0x00007FF9300F1000-memory.dmp

Filesize
4KB

Download
memory/4068-71-0x000000001BAA0000-0x000000001BAB8000-memory.dmp

Filesize
96KB

Download
memory/4068-72-0x00007FF9300E0000-0x00007FF9300E1000-memory.dmp

Filesize
4KB

Download
memory/4068-74-0x000000001BB10000-0x000000001BB5E000-memory.dmp

Filesize
312KB

Download
memory/4068-91-0x00007FF912680000-0x00007FF913141000-memory.dmp

Filesize
10.8MB

Download
memory/4068-92-0x00007FF930410000-0x00007FF9304CE000-memory.dmp

Filesize
760KB

Download
memory/4392-96-0x00007FF9122D0000-0x00007FF912D91000-memory.dmp

Filesize
10.8MB

Download
memory/4392-97-0x000000001BF70000-0x000000001BF80000-memory.dmp

Filesize
64KB

Download
memory/4392-98-0x00007FF930410000-0x00007FF9304CE000-memory.dmp

Filesize
760KB

Download
memory/4392-99-0x00007FF930220000-0x00007FF930221000-memory.dmp

Filesize
4KB

Download
memory/4392-102-0x00007FF930210000-0x00007FF930211000-memory.dmp

Filesize
4KB

Download
memory/4392-103-0x00007FF930200000-0x00007FF930201000-memory.dmp

Filesize
4KB

Download
memory/4392-105-0x00007FF9301F0000-0x00007FF9301F1000-memory.dmp

Filesize
4KB

Download
memory/4392-108-0x00007FF9301E0000-0x00007FF9301E1000-memory.dmp

Filesize
4KB

Download
memory/4392-145-0x000000001E090000-0x000000001E1A5000-memory.dmp

Filesize
1.1MB

Download