Overview

overview

9

Static

static

3

W1nner client.exe

windows10-1703-x64

9

W1nner client.exe

windows7-x64

9

W1nner client.exe

windows10-2004-x64

9

W1nner client.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/08/2024, 16:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    W1nner client.exe

  • Size

    2.3MB

  • MD5

    853b03119efff15876c044f4b80211e9

  • SHA1

    42a5105612ae43ff75f1760ba68dc5d186228a51

  • SHA256

    9b9f66ca71a3111fbe4c0a8edaf82592c0c2448c2e5585ff380a92dfab0bdf8e

  • SHA512

    3fe93ffe4bf2ca0c27ed0130ae68371ce84557e610a95fbe2018d3781ddfd889263745693a5c776e45762c668c0c61d813a85c3852826c93650c55d70682938c

  • SSDEEP

    49152:IBJdUyxWtYnbPflu1wrwcpXR/aErlLrR0zGAoC2lWq:yjxiYnbPNGWdyy3Aol

Score
9/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\W1nner client.exe
    "C:\Users\Admin\AppData\Local\Temp\W1nner client.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\componenthostPerfdhcp\O8LXSB6jiVD6J.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\componenthostPerfdhcp\7J7lsXh3rsbqkDjUEYAq6zLooj8GbW0wYQNYZhy3lHvf8.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\componenthostPerfdhcp\webWin.exe
          "C:\componenthostPerfdhcp/webWin.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:236
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EhbEgXQo0W.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4172
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1900
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:4576
                • C:\Windows\ShellComponents\services.exe
                  "C:\Windows\ShellComponents\services.exe"
                  6⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1892
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1988
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2376
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4812

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\EhbEgXQo0W.bat
                Filesize

                215B

                MD5

                0369cedddf2f901e40d3995dcc57c248

                SHA1

                fbb444a4fae29c477dd549c195b69391f33fe166

                SHA256

                888bca8163d2b35079f70d0dff562f3b17bc8dad6362cb371f3aceb4e808d053

                SHA512

                0195a6ba891319305b84a0d45cf90cf7d3bb2bb251f802ed08ca948a32d85cd9e8d9bfea1988466fad29b5d651337270d6747f2eb8604d88da2cdee76e257148

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat
                Filesize

                229B

                MD5

                af5cf5c2788d9bfbf925d12bcc997897

                SHA1

                a46f4c885f63314e373c461162b71e3f189616ca

                SHA256

                989b7de1e88c2801dcf9dd528e684e1b3c0c2269b0efd08c4c1fcb7fbbf138a4

                SHA512

                56cdb05988a99faabae94c774ff585e8acfa4748a6898f27956a0694d179b9b216d59dbae95cc87df299a22c77cf75a06f965fbd1839e97231bd13bd2cdb1899

                Download Submit

              • C:\Users\Public\Documents\My Videos\0a1fd5f707cd16
                Filesize

                355B

                MD5

                2dbfa55213aae92e7bc02fcce8bfe2c2

                SHA1

                ba6f2d35787a9c376a9168008da448a687bbceec

                SHA256

                67ba03aa89d7d314bee9c70a399595bd48f2e2c3d423da50d41be5df1036a1e6

                SHA512

                33cf7f71fdcbd9ab569ac18fb9f15cc940254708f8f3608f3751f03056a32ee6f9f8acefeb74d1c33c68dd577ea5da62e80e31a3e93163268251d6314083bcc8

                Download Submit

              • C:\Windows\ShellComponents\c5b4cb5e9653cc
                Filesize

                151B

                MD5

                77b8b061d4e4fb3cf9fd88f3833029c0

                SHA1

                2040b7d230c30ab3d96825334f71e586954f563e

                SHA256

                74c296b067a9354df31a82b344498f88409d3a90375187044d428780c016fef1

                SHA512

                b81853f55ebe44e8a1e0f925dadbbc0295af2afe0e1703499c2dea05a47d45dd384068b232418021651a4961ff2f5c60d5be59da193839f2eb141d3676255c59

                Download Submit

              • C:\Windows\TAPI\ebf1f9fa8afd6d
                Filesize

                401B

                MD5

                3013ec2325e66bd116e149c9e8edba17

                SHA1

                e41b4209b4b4c5ceccb710c368f4ecfd032d11d8

                SHA256

                c8709b9619630b1322f905125283635916d74212b10f2bc32036de0677256959

                SHA512

                5938fd6b95c7b3079eded62fa308fd07bc92a3974a974a4c0961feed596b1178240f52e1831f936d09de02b384bfb8c653a4d56759f5437479c643bc5a4a6651

                Download Submit

              • C:\componenthostPerfdhcp\5b884080fd4f94
                Filesize

                368B

                MD5

                b28cc60c86ba17ad3f85dfb38e9d1ab9

                SHA1

                d8459f2c723709ed4d09a384bc8b012ba01f2ab3

                SHA256

                0b63eb37d70f1d1b302479b7fd5c646193c46268fb582b171d458e398fa21ed6

                SHA512

                3e2b64855a20c8c569746efb6b944e0729d7b6ceb8558ed1663bf2b16d1fc97ff9b14f21625b3cf751ff3924829482738f984dcfeebfdaf5f3a25c19e289dac5

                Download Submit

              • C:\componenthostPerfdhcp\66fc9ff0ee96c2
                Filesize

                717B

                MD5

                7e383bfcafa3138b14ad76755adda539

                SHA1

                736938c05664ac1eadfe1894056107021a85f34f

                SHA256

                4a91bce719d35a1ecc22123bd4f1afaccdfe6983ffd54a396a9b8bbaf91022e9

                SHA512

                1a54b14c9687cac70eb73e4de2520ac3752b82689ec176a0ac68c819a8661c4675d1bfc34df5cf833246bc89375ec4a57b88488d5d2c93103587e4fae5134090

                Download Submit

              • C:\componenthostPerfdhcp\7J7lsXh3rsbqkDjUEYAq6zLooj8GbW0wYQNYZhy3lHvf8.bat
                Filesize

                89B

                MD5

                77d752db4ec6f56531c75eb0e02740e8

                SHA1

                9d1bb08091206b4180dd0ebe344e85a49bde2668

                SHA256

                3ac3e564afed23ac344cc57b83a545066e7c7b3105a607e4a5ca25c49bc9b61d

                SHA512

                282e674948b76c9c0840ed40be7ad7fac555357100c3277fa3ddddf4aec492f09c816d9059fe40c9b7eade666908590ea365ecfb7221fa889d01b335aa154565

                Download Submit

              • C:\componenthostPerfdhcp\O8LXSB6jiVD6J.vbe
                Filesize

                245B

                MD5

                0a4902c44f44763912d0132d8ff29a95

                SHA1

                d153209809c832f91c54923d0008b21236edece4

                SHA256

                4747d27547b4d7a0a9bb018d4fa88243e572221c36fbfdad7ff9fc73072b61ae

                SHA512

                3502eb57b2631b44a29c9364feae6fbb98a49169f998cdcad656a8c085d24f78f3409ef79667f5fec14227d00a81d5bdba3697f7a8fb1904f572ec2503693f6f

                Download Submit

              • C:\componenthostPerfdhcp\ce3baa101a4f8c
                Filesize

                689B

                MD5

                dd333603c8a154ab6537b1a8f52f5697

                SHA1

                0a1d4e89c4f374710bbe82a510badcfe3794fdcf

                SHA256

                12c76a08c80f6ddf9499dc88adfd46a54565d5fd340ca511bb00307cf6428cb9

                SHA512

                334ded3d72c99329cd0b505933e740d2a1dbe61b559db567b78d36ff8d82e43e71e8b133b4815e8c2487e7ea38e61d8bc3dace8b10bbacd50ef608d6b2d00001

                Download Submit

              • C:\componenthostPerfdhcp\webWin.exe
                Filesize

                2.0MB

                MD5

                186359513fca08101644256d9ee6ef41

                SHA1

                352b21539d9558840b5666b5295499949b4156d2

                SHA256

                5f221261dc13f1052f3c0fb6d8d90d93cb18d84f18b134cae15a19949adf1dd6

                SHA512

                5bce0fa22cd8176bb6cad8ea4f6b0fea0c5ef2460aac2e864238871c4e0ae2afac986875372748db39bf87bf5f3d49ca6a74b9a1b9d20def27e35ac841510958

                Download Submit

              • memory/236-18-0x000000001BAF0000-0x000000001BB40000-memory.dmp

                Filesize

                320KB

                Download

              • memory/236-15-0x000000001B910000-0x000000001B91E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/236-30-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/236-47-0x000000001C210000-0x000000001C3C3000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/236-26-0x000000001B960000-0x000000001B96E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/236-12-0x00007FFA6A973000-0x00007FFA6A975000-memory.dmp

                Filesize

                8KB

                Download

              • memory/236-13-0x0000000000AB0000-0x0000000000CAE000-memory.dmp

                Filesize

                2.0MB

                Download

              • memory/236-28-0x000000001B970000-0x000000001B978000-memory.dmp

                Filesize

                32KB

                Download

              • memory/236-17-0x000000001B940000-0x000000001B95C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/236-24-0x000000001B930000-0x000000001B93C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/236-22-0x000000001B980000-0x000000001B998000-memory.dmp

                Filesize

                96KB

                Download

              • memory/236-20-0x000000001B920000-0x000000001B930000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1892-104-0x000000001F350000-0x000000001F503000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1892-63-0x000000001F350000-0x000000001F503000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1892-61-0x000000001F350000-0x000000001F503000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1892-124-0x000000001BF70000-0x000000001BFDF000-memory.dmp

                Filesize

                444KB

                Download

              • memory/1892-125-0x000000001F350000-0x000000001F503000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/1892-60-0x000000001BF70000-0x000000001BFDF000-memory.dmp

                Filesize

                444KB

                Download