6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b

Analysis

max time kernel
135s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe
Size

2.0MB
MD5

5251794e42d5d9e95309ebe4f6ea9151
SHA1

6a47353cf0aba3e393130bb66d7e747f7d9c6660
SHA256

6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b
SHA512

a93ee7c9d3ccced5ce2ef3249c09159cf524b48c23139de4ecb7689548020de2172acfe1b134749d8614ab15d726e7a03fe5a06f887e75d70c3935a55995554d
SSDEEP

24576:yTbBv5rUdxiUSDFRUq6RdVgP2lWZZIRLbhWgNM95vcJm0rez0X7Sma3dlmmgctuT:UBci/FRAnWSb/JnfTWe9HPiTVEyO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2792	webFont.exe
2472	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\servicing\de-DE\webFont.exe	webFont.exe
File created	C:\Windows\L2Schemas\cmd.exe	webFont.exe
File created	C:\Windows\L2Schemas\ebf1f9fa8afd6d	webFont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2792	webFont.exe
2472	cmd.exe
2472	cmd.exe
2472	cmd.exe
2472	cmd.exe
2472	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2472	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	webFont.exe
Token: SeDebugPrivilege	2472	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2368	2004	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe	28
PID 2004 wrote to memory of 2368	2004	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe	28
PID 2004 wrote to memory of 2368	2004	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe	28
PID 2004 wrote to memory of 2368	2004	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe	28
PID 2368 wrote to memory of 2668	2368	WScript.exe	29
PID 2368 wrote to memory of 2668	2368	WScript.exe	29
PID 2368 wrote to memory of 2668	2368	WScript.exe	29
PID 2368 wrote to memory of 2668	2368	WScript.exe	29
PID 2668 wrote to memory of 2792	2668	cmd.exe	31
PID 2668 wrote to memory of 2792	2668	cmd.exe	31
PID 2668 wrote to memory of 2792	2668	cmd.exe	31
PID 2668 wrote to memory of 2792	2668	cmd.exe	31
PID 2792 wrote to memory of 2424	2792	webFont.exe	32
PID 2792 wrote to memory of 2424	2792	webFont.exe	32
PID 2792 wrote to memory of 2424	2792	webFont.exe	32
PID 2424 wrote to memory of 2484	2424	cmd.exe	34
PID 2424 wrote to memory of 2484	2424	cmd.exe	34
PID 2424 wrote to memory of 2484	2424	cmd.exe	34
PID 2424 wrote to memory of 2496	2424	cmd.exe	35
PID 2424 wrote to memory of 2496	2424	cmd.exe	35
PID 2424 wrote to memory of 2496	2424	cmd.exe	35
PID 2424 wrote to memory of 2472	2424	cmd.exe	36
PID 2424 wrote to memory of 2472	2424	cmd.exe	36
PID 2424 wrote to memory of 2472	2424	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe
"C:\Users\Admin\AppData\Local\Temp\6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeMsChainreviewBroker\QGZV4gEZhWdI2xPJlBss86jAqfIGOr8L2x3YW0oQAF2lKE5w6P9d.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgeMsChainreviewBroker\IHHWG.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\BridgeMsChainreviewBroker\webFont.exe
      "C:\BridgeMsChainreviewBroker/webFont.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qOerumYC5d.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2484
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2496
      - C:\Windows\L2Schemas\cmd.exe
        
        "C:\Windows\L2Schemas\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeMsChainreviewBroker\IHHWG.bat

Filesize
78B

MD5
e5d9ebb1906c5b64b10f98f1c54ef302

SHA1
f74b3cd0654c55083ff835cd19f46f8b99eacc32

SHA256
e1ddfaa9d7516fbf7dde55318d604d18f83ec1236e096ad113fb0ee72eb41dff

SHA512
9d921fc79d5de980dc5d7b75ae1a828a95d71938f1353456bfee80c43c53d53fb214af72419e44dc59668ce542784036bb7ee4b2c40cda3a9f02b58a6a98f133

Download Submit
C:\BridgeMsChainreviewBroker\QGZV4gEZhWdI2xPJlBss86jAqfIGOr8L2x3YW0oQAF2lKE5w6P9d.vbe

Filesize
208B

MD5
08b19bed5e5e46b38e206927681fa2bc

SHA1
99e75b198dd66178c12ffb4826a2e556f3cf1f1a

SHA256
cb0a2a3bb9273eb24c7344ae981f68bfc88b2d570b7eb149a3722a8907645ba7

SHA512
17c8d915c95276f9e295592cdc03d3345a0c254cbac3b7c560753ff438c126fa4180e23cf964852cfbcf2a7d35edc371280dd9d76e05f59dfce70564786c9fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOerumYC5d.bat

Filesize
204B

MD5
62497bf3896c0f8f3ac41d66440403ab

SHA1
e86fcf68732300fa6d71fde847cf327f7d548efc

SHA256
ab93eeec27a1a96d6ab61a1ef54189c20814110232788a156e37f092ae5f5297

SHA512
e1111d07f6e94d444b1d948a01e13de32881ffffb98f18f86059e144dfe2c2c21e5e7c54fc310a8cdaf8c4ad7c1b6f5d7030f93ba29b37b0a32b14b430494cfe

Download Submit
\BridgeMsChainreviewBroker\webFont.exe

Filesize
1.7MB

MD5
5b575cdec6aa42b8ba173ed342b7dcb6

SHA1
3fe17672b9cca787b505234058a31a68278d701d

SHA256
30dbf81d2b4ead6a51efd24e9f31539bf3102acb1396b0e44492a17d2f4ede26

SHA512
fb99487dae0193e157ad0d70ace82b09b3541980f1cb2a6fee8599a814fa3710e5687e5c68e57bbf28c7bcdc042e238545b825c1ba1550c519de1e18a7a0a71f

Download Submit
memory/2472-38-0x00000000001F0000-0x00000000003B4000-memory.dmp

Filesize
1.8MB

Download
memory/2792-13-0x0000000000B20000-0x0000000000CE4000-memory.dmp

Filesize
1.8MB

Download
memory/2792-15-0x0000000000AC0000-0x0000000000ADC000-memory.dmp

Filesize
112KB

Download
memory/2792-17-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/2792-19-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download