Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 03:13
Static task
static1
Behavioral task
behavioral1
Sample
c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
Resource
win10v2004-20240802-en
General
-
Target
c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
-
Size
1005KB
-
MD5
1386c886895587d556d849d374f99c00
-
SHA1
af9a17f5fc3069af875d7e48d77f570f490c035e
-
SHA256
c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74c
-
SHA512
46f60d55f0a6b28bd3fbd5846e8e02be1ea469475b90112b7bef058ff70dcffb6b1ad27ea6bb654f9941c9ed7d60ff712a6eb7d74e7d5d2eb505c6283b9cc22f
-
SSDEEP
24576:T0m7MVyppWwUeY/vnS5QhJfgtwy+dFA0zq:RMwEeY//IQhJowy+Tq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2316 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 eqsB3A6.tmp -
Loads dropped DLL 2 IoCs
pid Process 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\RCXBA12.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXBE27.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXB59B.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB997.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Windows Media Player\RCXC0FD.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\RCXB9ED.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jre7\bin\RCXB757.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXBFDD.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXB671.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\RCXB971.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jre7\bin\RCXB71C.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\RCXB9BB.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXB685.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\RCXB6FA.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5C5.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jre7\bin\RCXB758.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\RCXC161.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXB574.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB984.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXC0C8.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5AE.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5EE.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5EF.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXB65B.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\RCXB7D4.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXC056.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Windows Journal\RCXB883.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\RCXBA14.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXBFA8.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jre7\bin\RCXB72E.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB985.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXBF05.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXBFDE.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\RCXB412.tmp c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eqsB3A6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2896 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 30 PID 1868 wrote to memory of 2896 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 30 PID 1868 wrote to memory of 2896 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 30 PID 1868 wrote to memory of 2896 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 30 PID 1868 wrote to memory of 2316 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 36 PID 1868 wrote to memory of 2316 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 36 PID 1868 wrote to memory of 2316 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 36 PID 1868 wrote to memory of 2316 1868 c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe"C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\eqsB3A6.tmp"C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C0E0B0~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5dae9fa0746a395d2b42b1eb0c529353a
SHA178af560084304cbef640424d4a4fb0bfbc1624ca
SHA2568de820c02780d8b3aa28a9391d58d751cb8965560decfa54ba8b7b4da42f3095
SHA51220930938bebc0c90ac52fbc9223bd42d7bfc7ca0a8a9ec93482fe9d38dcaf86c3b799c2412c3198fe53cd2adc5724108d3c8b3a73af2699a9af84ff4f6262453
-
Filesize
9KB
MD5fc80202a8fc434099a9449b2a14c2d75
SHA19ca544e9bd5f4bfd84e9b769a9adeea8c86d2555
SHA256d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51
SHA51298292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4
-
Filesize
995KB
MD562db7ffc2db3a1c7d4157807fa62d599
SHA106ca6e1f814b74708566ce1e258c98d238cc8360
SHA256d9f5f5a886e7b8af87dc34dea9b330fe0243cb481ba518765d7950f1c0aca08a
SHA512aca34b834ee3b622965e928fa1773b5e0de5ad3c4f7591a833c3156bdfba30aca15921fe3697c5fe65b9a69358a2f5c63ea0c81d9062cb1bdfc13ed94732a9a5