6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b

Analysis

max time kernel
133s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe
Size

2.0MB
MD5

5251794e42d5d9e95309ebe4f6ea9151
SHA1

6a47353cf0aba3e393130bb66d7e747f7d9c6660
SHA256

6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b
SHA512

a93ee7c9d3ccced5ce2ef3249c09159cf524b48c23139de4ecb7689548020de2172acfe1b134749d8614ab15d726e7a03fe5a06f887e75d70c3935a55995554d
SSDEEP

24576:yTbBv5rUdxiUSDFRUq6RdVgP2lWZZIRLbhWgNM95vcJm0rez0X7Sma3dlmmgctuT:UBci/FRAnWSb/JnfTWe9HPiTVEyO

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	webFont.exe

Executes dropped EXE 2 IoCs

pid	Process
3508	webFont.exe
3364	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	webFont.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe
3508	webFont.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3364	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	webFont.exe
Token: SeDebugPrivilege	3364	csrss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1428	1516	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe	85
PID 1516 wrote to memory of 1428	1516	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe	85
PID 1516 wrote to memory of 1428	1516	6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe	85
PID 1428 wrote to memory of 4400	1428	WScript.exe	86
PID 1428 wrote to memory of 4400	1428	WScript.exe	86
PID 1428 wrote to memory of 4400	1428	WScript.exe	86
PID 4400 wrote to memory of 3508	4400	cmd.exe	88
PID 4400 wrote to memory of 3508	4400	cmd.exe	88
PID 3508 wrote to memory of 2480	3508	webFont.exe	89
PID 3508 wrote to memory of 2480	3508	webFont.exe	89
PID 2480 wrote to memory of 3088	2480	cmd.exe	91
PID 2480 wrote to memory of 3088	2480	cmd.exe	91
PID 2480 wrote to memory of 3316	2480	cmd.exe	92
PID 2480 wrote to memory of 3316	2480	cmd.exe	92
PID 2480 wrote to memory of 3364	2480	cmd.exe	93
PID 2480 wrote to memory of 3364	2480	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe
"C:\Users\Admin\AppData\Local\Temp\6cd8a052498b02d1f070d36dcc6540838193d35eee101c8c41de0a5dd634c44b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeMsChainreviewBroker\QGZV4gEZhWdI2xPJlBss86jAqfIGOr8L2x3YW0oQAF2lKE5w6P9d.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BridgeMsChainreviewBroker\IHHWG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\BridgeMsChainreviewBroker\webFont.exe
      "C:\BridgeMsChainreviewBroker/webFont.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vQDGGogRJu.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3088
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3316
      - C:\BridgeMsChainreviewBroker\csrss.exe
        
        "C:\BridgeMsChainreviewBroker\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeMsChainreviewBroker\IHHWG.bat

Filesize
78B

MD5
e5d9ebb1906c5b64b10f98f1c54ef302

SHA1
f74b3cd0654c55083ff835cd19f46f8b99eacc32

SHA256
e1ddfaa9d7516fbf7dde55318d604d18f83ec1236e096ad113fb0ee72eb41dff

SHA512
9d921fc79d5de980dc5d7b75ae1a828a95d71938f1353456bfee80c43c53d53fb214af72419e44dc59668ce542784036bb7ee4b2c40cda3a9f02b58a6a98f133

Download Submit
C:\BridgeMsChainreviewBroker\QGZV4gEZhWdI2xPJlBss86jAqfIGOr8L2x3YW0oQAF2lKE5w6P9d.vbe

Filesize
208B

MD5
08b19bed5e5e46b38e206927681fa2bc

SHA1
99e75b198dd66178c12ffb4826a2e556f3cf1f1a

SHA256
cb0a2a3bb9273eb24c7344ae981f68bfc88b2d570b7eb149a3722a8907645ba7

SHA512
17c8d915c95276f9e295592cdc03d3345a0c254cbac3b7c560753ff438c126fa4180e23cf964852cfbcf2a7d35edc371280dd9d76e05f59dfce70564786c9fb7

Download Submit
C:\BridgeMsChainreviewBroker\webFont.exe

Filesize
1.7MB

MD5
5b575cdec6aa42b8ba173ed342b7dcb6

SHA1
3fe17672b9cca787b505234058a31a68278d701d

SHA256
30dbf81d2b4ead6a51efd24e9f31539bf3102acb1396b0e44492a17d2f4ede26

SHA512
fb99487dae0193e157ad0d70ace82b09b3541980f1cb2a6fee8599a814fa3710e5687e5c68e57bbf28c7bcdc042e238545b825c1ba1550c519de1e18a7a0a71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQDGGogRJu.bat

Filesize
214B

MD5
df46fc4c1cb601f563a9773375557a09

SHA1
7bd25ab5072adfebef5b85a2c70206a8d5e8c5ca

SHA256
ee540fb3f1b05abbd49f91ce3df5f0319303517974b85f701a3c95dca2aa13ef

SHA512
149c6308394d2bd9f282441651120616768470bede0ddaa4285956cdf31e109916aceb81d23c19d1a5b86438678df98adad1ddfe313475716e6a0f7a657fb142

Download Submit
memory/3508-12-0x00007FFC41223000-0x00007FFC41225000-memory.dmp

Filesize
8KB

Download
memory/3508-13-0x00000000006D0000-0x0000000000894000-memory.dmp

Filesize
1.8MB

Download
memory/3508-15-0x00000000029D0000-0x00000000029EC000-memory.dmp

Filesize
112KB

Download
memory/3508-16-0x000000001B550000-0x000000001B5A0000-memory.dmp

Filesize
320KB

Download
memory/3508-18-0x00000000010B0000-0x00000000010BE000-memory.dmp

Filesize
56KB

Download
memory/3508-20-0x00000000010D0000-0x00000000010DC000-memory.dmp

Filesize
48KB

Download