c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
Size

1005KB
MD5

1386c886895587d556d849d374f99c00
SHA1

af9a17f5fc3069af875d7e48d77f570f490c035e
SHA256

c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74c
SHA512

46f60d55f0a6b28bd3fbd5846e8e02be1ea469475b90112b7bef058ff70dcffb6b1ad27ea6bb654f9941c9ed7d60ff712a6eb7d74e7d5d2eb505c6283b9cc22f
SSDEEP

24576:T0m7MVyppWwUeY/vnS5QhJfgtwy+dFA0zq:RMwEeY//IQhJowy+Tq

Score

7^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	eqsB3A6.tmp

Loads dropped DLL 2 IoCs

pid	Process
1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCXBA12.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXBE27.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB59B.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB997.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXC0FD.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\RCXB9ED.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCXB757.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXBFDD.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXB671.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\RCXB971.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCXB71C.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\RCXB9BB.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXB685.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\RCXB6FA.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5C5.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCXB758.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXC161.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXB574.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB984.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXC0C8.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5AE.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5EE.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB5EF.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXB65B.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\RCXB7D4.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXC056.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Windows Journal\RCXB883.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCXBA14.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXBFA8.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCXB72E.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB985.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXBF05.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXBFDE.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCXB412.tmp	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqsB3A6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2896	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	30
PID 1868 wrote to memory of 2896	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	30
PID 1868 wrote to memory of 2896	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	30
PID 1868 wrote to memory of 2896	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	30
PID 1868 wrote to memory of 2316	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	36
PID 1868 wrote to memory of 2316	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	36
PID 1868 wrote to memory of 2316	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	36
PID 1868 wrote to memory of 2316	1868	c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe	36

C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
"C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\eqsB3A6.tmp
  "C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C0E0B0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
2.1MB

MD5
dae9fa0746a395d2b42b1eb0c529353a

SHA1
78af560084304cbef640424d4a4fb0bfbc1624ca

SHA256
8de820c02780d8b3aa28a9391d58d751cb8965560decfa54ba8b7b4da42f3095

SHA512
20930938bebc0c90ac52fbc9223bd42d7bfc7ca0a8a9ec93482fe9d38dcaf86c3b799c2412c3198fe53cd2adc5724108d3c8b3a73af2699a9af84ff4f6262453

Download Submit
C:\Program Files\7-Zip\RCXB3CC.tmp

Filesize
9KB

MD5
fc80202a8fc434099a9449b2a14c2d75

SHA1
9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

SHA256
d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

SHA512
98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

Download Submit
\Users\Admin\AppData\Local\Temp\eqsB3A6.tmp

Filesize
995KB

MD5
62db7ffc2db3a1c7d4157807fa62d599

SHA1
06ca6e1f814b74708566ce1e258c98d238cc8360

SHA256
d9f5f5a886e7b8af87dc34dea9b330fe0243cb481ba518765d7950f1c0aca08a

SHA512
aca34b834ee3b622965e928fa1773b5e0de5ad3c4f7591a833c3156bdfba30aca15921fe3697c5fe65b9a69358a2f5c63ea0c81d9062cb1bdfc13ed94732a9a5

Download Submit