Overview
overview
10Static
static
10dc/10.exe
windows10-2004-x64
10dc/12.exe
windows10-2004-x64
7dc/13.exe
windows10-2004-x64
10dc/15.exe
windows10-2004-x64
8dc/16.exe
windows10-2004-x64
10dc/17.exe
windows10-2004-x64
3dc/19.exe
windows10-2004-x64
10dc/22.exe
windows10-2004-x64
10dc/23.exe
windows10-2004-x64
10dc/3.exe
windows10-2004-x64
10dc/4.exe
windows10-2004-x64
3dc/5.exe
windows10-2004-x64
10dc/6.exe
windows10-2004-x64
10dc/7.exe
windows10-2004-x64
9dc/9.exe
windows10-2004-x64
10Analysis
-
max time kernel
55s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:25
Behavioral task
behavioral1
Sample
dc/10.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
dc/12.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
dc/13.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
dc/15.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
dc/16.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
dc/17.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
dc/19.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
dc/22.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
dc/23.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
dc/3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
dc/4.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
dc/5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
dc/6.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
dc/7.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
dc/9.exe
Resource
win10v2004-20240802-en
General
-
Target
dc/7.exe
-
Size
2.9MB
-
MD5
2d30843580eaf66546af1ad6c04338ed
-
SHA1
5f6df14f8adc05f4feb3e26c3e851ef68813828b
-
SHA256
7858ed8f2d48186ed0f85b362af8f76065b88662ad20d7e0b393115898ca9972
-
SHA512
5928280c4f5bc5b3fab24a971552b1b747cccb6cec2939c6908fd927074e0c93e0ebf2c60918b01b98f78ee750abe2491d34bc3242bf9c9f2a003b8a62fd5af5
-
SSDEEP
49152:IBJW0o4UO9a9j1KgfUh8O/2g5BxxFbUCKyjYmOCXSEUahZn:y40oqURKgfU6O/vV7ZjYmLtUKn
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ReviewruntimecrtMonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 7.exe -
Executes dropped EXE 2 IoCs
pid Process 2628 ReviewruntimecrtMonitor.exe 4260 ReviewruntimecrtMonitor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\sysmon.exe ReviewruntimecrtMonitor.exe File opened for modification C:\Program Files (x86)\Internet Explorer\sysmon.exe ReviewruntimecrtMonitor.exe File created C:\Program Files (x86)\Internet Explorer\121e5b5079f7c0 ReviewruntimecrtMonitor.exe File created C:\Program Files (x86)\MSBuild\Microsoft\System.exe ReviewruntimecrtMonitor.exe File created C:\Program Files (x86)\MSBuild\Microsoft\27d1bcfc3c54e0 ReviewruntimecrtMonitor.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\RuntimeBroker.exe ReviewruntimecrtMonitor.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\DigitalLocker\en-US\conhost.exe ReviewruntimecrtMonitor.exe File created C:\Windows\DigitalLocker\en-US\088424020bedd6 ReviewruntimecrtMonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings ReviewruntimecrtMonitor.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings 7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe 2628 ReviewruntimecrtMonitor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2628 ReviewruntimecrtMonitor.exe Token: SeDebugPrivilege 4260 ReviewruntimecrtMonitor.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3244 wrote to memory of 1988 3244 7.exe 87 PID 3244 wrote to memory of 1988 3244 7.exe 87 PID 3244 wrote to memory of 1988 3244 7.exe 87 PID 1988 wrote to memory of 844 1988 WScript.exe 94 PID 1988 wrote to memory of 844 1988 WScript.exe 94 PID 1988 wrote to memory of 844 1988 WScript.exe 94 PID 844 wrote to memory of 2628 844 cmd.exe 96 PID 844 wrote to memory of 2628 844 cmd.exe 96 PID 2628 wrote to memory of 1776 2628 ReviewruntimecrtMonitor.exe 99 PID 2628 wrote to memory of 1776 2628 ReviewruntimecrtMonitor.exe 99 PID 1776 wrote to memory of 1272 1776 cmd.exe 101 PID 1776 wrote to memory of 1272 1776 cmd.exe 101 PID 1776 wrote to memory of 5016 1776 cmd.exe 102 PID 1776 wrote to memory of 5016 1776 cmd.exe 102 PID 1776 wrote to memory of 4260 1776 cmd.exe 103 PID 1776 wrote to memory of 4260 1776 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc\7.exe"C:\Users\Admin\AppData\Local\Temp\dc\7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogateReviewSavesInto\2koUrfrYMr2wwQKU0gavGBjQcbhiNOVFgYGTAHdJpArKL.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\surrogateReviewSavesInto\tePICVgSNO7wHQQGva4B9FuQRLFKyWUGoO7RllT3qr3.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\surrogateReviewSavesInto\ReviewruntimecrtMonitor.exe"C:\surrogateReviewSavesInto/ReviewruntimecrtMonitor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m7ncxKBIvk.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1272
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:5016
-
-
C:\surrogateReviewSavesInto\ReviewruntimecrtMonitor.exe"C:\surrogateReviewSavesInto\ReviewruntimecrtMonitor.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7d1b1fa2f25e3dfa86cc7723a4e62fc
SHA1d3e0ccb2a21a12bd9f94c23c9a4a1c0522d1cae7
SHA256e77d74ba620116426b7c14188b82ee167a5f53d27d63d9e3b4e290a10b795131
SHA5127c7a43eb032a9a804cd1262bae52e1a7f8552dd3f572761cb56ff00556acf5fcf1c3476494e5b6fbd5e50304a3b72c3a5edb0d7251deb25905a661fc45280d8b
-
Filesize
231B
MD583fa300e37146061c7f719b411476a9c
SHA1245e38196e5d9393f7cf86c01c01308619480053
SHA256fa424eb261e0b5c6d0d5fd08b6a4a9fa545cb3663e027cd9553e98ecd4e32619
SHA51221a94e6ed831d8478367861c78b8312d78ba4c3dcb1fd527c56369d0b6d1524bb9d62ba631f0a25d22125e071818712190a887d05ef16bc97e9c2663dabd8884
-
Filesize
245B
MD56763e284a76e353cffeadf40ebb178d0
SHA18b11f3373f7f91b21c768a0be1fed66958835cae
SHA2563688b150a61144e4151f25b7d83f11a78b4ebc333a37739ab044c47e4c76076d
SHA5124e2bc65260890f7f4890c9c6cfffdb44ca284f6ba76a87024c27df67a05a8d189dc68f794c5de4f22647ec705c60b9ac7c9c4c8f367133409da39a28957b353c
-
Filesize
2.6MB
MD59834782f39369b13e037a3ce0a46bf67
SHA1278e47aef427299474d2f3b7f4b611e2df9a90a3
SHA256b32f579f0d269a6401b76a776321414e266ba08e75c164886ae4848797c7434c
SHA512f5b3051c86b7dc2ddbdc2e05d371d1687049c7c96aad0caf12b2639bbe4778f38d7ab39919e0ff650f21d091ddd05232e9de548da95c73800fcd3110262af7d2
-
Filesize
110B
MD5dc644a648c131afd820e690f5ff6c730
SHA1b38d9f909adca78b01436f817d2620cc2b30a374
SHA256f51e0c769642ad7f808342651263e7d7423c8cea4b36a055b04376df214c024f
SHA512d3b32f7a304599fd759ca51eaddac223442b6f6288199e774e33e9bdc1573f623bf8305e639102c23cd87ee1c04692b63751c66f061d359ff57e5616383fafa5