Analysis

  • max time kernel
    44s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 13:27

General

  • Target

    launcher.exe

  • Size

    18.7MB

  • MD5

    0acf19965db8bae72e6f1c5340dae835

  • SHA1

    d45dde66573a95438f490b0ed54d4b74d92395f8

  • SHA256

    6f4116063989406b5693d9ca3e51ca88fbac7d974cb1b411d0219c665256fc2f

  • SHA512

    8948732ec89e8a36ab8066c10ae6239c548d085901c2352f766a10d52ed1e11bf9580d52af11ced0455630661b9ae91d4b9fbcc3295b4f29685e02b7b3ffe383

  • SSDEEP

    393216:YbUB1Gp17zeKX+FNLZvH1yKtNXxP0qkywY2/iM834:W2KuFNtH13NhzkywY2/s34

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Kills process with taskkill 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM opera.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM opera.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM msedge.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM msedge.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM brave.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM brave.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM chromium.exe > nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM chromium.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM steam.exe > nul 2>&1
      2⤵
        PID:2528
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM steam.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell Compress-Archive -Path C:\Users\Admin\AppData\Local\Temp\\banana\* -DestinationPath C:\Users\Admin\AppData\Local\Temp\\banana.zip
        2⤵
          PID:2680
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Compress-Archive -Path C:\Users\Admin\AppData\Local\Temp\\banana\* -DestinationPath C:\Users\Admin\AppData\Local\Temp\\banana.zip
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1288

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1724-10-0x00000000001F0000-0x00000000001F1000-memory.dmp
        Filesize

        4KB

      • memory/1724-8-0x00000000001F0000-0x00000000001F1000-memory.dmp
        Filesize

        4KB

      • memory/1724-6-0x00000000001F0000-0x00000000001F1000-memory.dmp
        Filesize

        4KB

      • memory/1724-5-0x00000000001E0000-0x00000000001E1000-memory.dmp
        Filesize

        4KB

      • memory/1724-3-0x00000000001E0000-0x00000000001E1000-memory.dmp
        Filesize

        4KB

      • memory/1724-1-0x00000000001E0000-0x00000000001E1000-memory.dmp
        Filesize

        4KB

      • memory/1724-0-0x0000000000596000-0x0000000000FE6000-memory.dmp
        Filesize

        10.3MB

      • memory/1724-12-0x0000000000400000-0x0000000002295000-memory.dmp
        Filesize

        30.6MB

      • memory/1724-14-0x0000000000400000-0x0000000002295000-memory.dmp
        Filesize

        30.6MB

      • memory/1724-17-0x0000000000400000-0x0000000002295000-memory.dmp
        Filesize

        30.6MB

      • memory/1724-18-0x0000000000596000-0x0000000000FE6000-memory.dmp
        Filesize

        10.3MB