Overview

overview

10

Static

static

10

dc/10.exe

windows10-2004-x64

10

dc/12.exe

windows10-2004-x64

7

dc/13.exe

windows10-2004-x64

10

dc/15.exe

windows10-2004-x64

8

dc/16.exe

windows10-2004-x64

10

dc/17.exe

windows10-2004-x64

3

dc/19.exe

windows10-2004-x64

10

dc/22.exe

windows10-2004-x64

10

dc/23.exe

windows10-2004-x64

10

dc/3.exe

windows10-2004-x64

10

dc/4.exe

windows10-2004-x64

3

dc/5.exe

windows10-2004-x64

10

dc/6.exe

windows10-2004-x64

10

dc/7.exe

windows10-2004-x64

9

dc/9.exe

windows10-2004-x64

10

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

  • max time kernel
    55s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc/7.exe

  • Size

    2.9MB

  • MD5

    2d30843580eaf66546af1ad6c04338ed

  • SHA1

    5f6df14f8adc05f4feb3e26c3e851ef68813828b

  • SHA256

    7858ed8f2d48186ed0f85b362af8f76065b88662ad20d7e0b393115898ca9972

  • SHA512

    5928280c4f5bc5b3fab24a971552b1b747cccb6cec2939c6908fd927074e0c93e0ebf2c60918b01b98f78ee750abe2491d34bc3242bf9c9f2a003b8a62fd5af5

  • SSDEEP

    49152:IBJW0o4UO9a9j1KgfUh8O/2g5BxxFbUCKyjYmOCXSEUahZn:y40oqURKgfU6O/vV7ZjYmLtUKn

Score
9/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc\7.exe
    "C:\Users\Admin\AppData\Local\Temp\dc\7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\surrogateReviewSavesInto\2koUrfrYMr2wwQKU0gavGBjQcbhiNOVFgYGTAHdJpArKL.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\surrogateReviewSavesInto\tePICVgSNO7wHQQGva4B9FuQRLFKyWUGoO7RllT3qr3.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\surrogateReviewSavesInto\ReviewruntimecrtMonitor.exe
          "C:\surrogateReviewSavesInto/ReviewruntimecrtMonitor.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m7ncxKBIvk.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1776
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1272
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:5016
                • C:\surrogateReviewSavesInto\ReviewruntimecrtMonitor.exe
                  "C:\surrogateReviewSavesInto\ReviewruntimecrtMonitor.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ReviewruntimecrtMonitor.exe.log
        Filesize

        1KB

        MD5

        e7d1b1fa2f25e3dfa86cc7723a4e62fc

        SHA1

        d3e0ccb2a21a12bd9f94c23c9a4a1c0522d1cae7

        SHA256

        e77d74ba620116426b7c14188b82ee167a5f53d27d63d9e3b4e290a10b795131

        SHA512

        7c7a43eb032a9a804cd1262bae52e1a7f8552dd3f572761cb56ff00556acf5fcf1c3476494e5b6fbd5e50304a3b72c3a5edb0d7251deb25905a661fc45280d8b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\m7ncxKBIvk.bat
        Filesize

        231B

        MD5

        83fa300e37146061c7f719b411476a9c

        SHA1

        245e38196e5d9393f7cf86c01c01308619480053

        SHA256

        fa424eb261e0b5c6d0d5fd08b6a4a9fa545cb3663e027cd9553e98ecd4e32619

        SHA512

        21a94e6ed831d8478367861c78b8312d78ba4c3dcb1fd527c56369d0b6d1524bb9d62ba631f0a25d22125e071818712190a887d05ef16bc97e9c2663dabd8884

        Download Submit

      • C:\surrogateReviewSavesInto\2koUrfrYMr2wwQKU0gavGBjQcbhiNOVFgYGTAHdJpArKL.vbe
        Filesize

        245B

        MD5

        6763e284a76e353cffeadf40ebb178d0

        SHA1

        8b11f3373f7f91b21c768a0be1fed66958835cae

        SHA256

        3688b150a61144e4151f25b7d83f11a78b4ebc333a37739ab044c47e4c76076d

        SHA512

        4e2bc65260890f7f4890c9c6cfffdb44ca284f6ba76a87024c27df67a05a8d189dc68f794c5de4f22647ec705c60b9ac7c9c4c8f367133409da39a28957b353c

        Download Submit

      • C:\surrogateReviewSavesInto\ReviewruntimecrtMonitor.exe
        Filesize

        2.6MB

        MD5

        9834782f39369b13e037a3ce0a46bf67

        SHA1

        278e47aef427299474d2f3b7f4b611e2df9a90a3

        SHA256

        b32f579f0d269a6401b76a776321414e266ba08e75c164886ae4848797c7434c

        SHA512

        f5b3051c86b7dc2ddbdc2e05d371d1687049c7c96aad0caf12b2639bbe4778f38d7ab39919e0ff650f21d091ddd05232e9de548da95c73800fcd3110262af7d2

        Download Submit

      • C:\surrogateReviewSavesInto\tePICVgSNO7wHQQGva4B9FuQRLFKyWUGoO7RllT3qr3.bat
        Filesize

        110B

        MD5

        dc644a648c131afd820e690f5ff6c730

        SHA1

        b38d9f909adca78b01436f817d2620cc2b30a374

        SHA256

        f51e0c769642ad7f808342651263e7d7423c8cea4b36a055b04376df214c024f

        SHA512

        d3b32f7a304599fd759ca51eaddac223442b6f6288199e774e33e9bdc1573f623bf8305e639102c23cd87ee1c04692b63751c66f061d359ff57e5616383fafa5

        Download Submit

      • memory/2628-24-0x0000000003410000-0x0000000003420000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2628-31-0x000000001C910000-0x000000001CE38000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2628-18-0x000000001C370000-0x000000001C3C0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2628-20-0x000000001BDD0000-0x000000001BDE8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2628-22-0x0000000001B50000-0x0000000001B60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2628-15-0x0000000001930000-0x000000000193E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2628-26-0x000000001C320000-0x000000001C332000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2628-28-0x000000001C340000-0x000000001C356000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2628-30-0x000000001C3C0000-0x000000001C3D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2628-17-0x000000001BD90000-0x000000001BDAC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2628-33-0x0000000003420000-0x0000000003430000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2628-35-0x000000001C440000-0x000000001C49A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2628-37-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2628-39-0x000000001BDF0000-0x000000001BDFC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2628-56-0x000000001C7E0000-0x000000001C889000-memory.dmp

        Filesize

        676KB

        Download

      • memory/2628-13-0x0000000000FC0000-0x0000000001262000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2628-12-0x00007FFBC5753000-0x00007FFBC5755000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4260-72-0x000000001C970000-0x000000001CA19000-memory.dmp

        Filesize

        676KB

        Download