Analysis
-
max time kernel
61s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 21:13
Static task
static1
1 signatures
General
-
Target
No product name.exe
-
Size
154.7MB
-
MD5
5a64c63eedffd27a1cbf928842003824
-
SHA1
55661ceb6ba4849f6f953cc7e4955bbcacad1740
-
SHA256
f24185546ba25a648f25b2e0f7d1ea92d1e0755d0bb00552c41c5324ce06f3d6
-
SHA512
24fd9f005173e18525ae391cc8963e6e80b5a07dec48296895a04bf8cfdc41e89993eef6625575bb2df491afc958a606a9909b53a3e8ac656a0d9a852bc43568
-
SSDEEP
1572864:kTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:/v6E70+Mk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation No product name.exe -
Loads dropped DLL 2 IoCs
pid Process 5020 No product name.exe 5020 No product name.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 3624 tasklist.exe 4796 tasklist.exe 2264 tasklist.exe 2948 tasklist.exe 3540 tasklist.exe -
Kills process with taskkill 2 IoCs
pid Process 556 taskkill.exe 4824 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3388 No product name.exe 3388 No product name.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4052 WMIC.exe Token: SeSecurityPrivilege 4052 WMIC.exe Token: SeTakeOwnershipPrivilege 4052 WMIC.exe Token: SeLoadDriverPrivilege 4052 WMIC.exe Token: SeSystemProfilePrivilege 4052 WMIC.exe Token: SeSystemtimePrivilege 4052 WMIC.exe Token: SeProfSingleProcessPrivilege 4052 WMIC.exe Token: SeIncBasePriorityPrivilege 4052 WMIC.exe Token: SeCreatePagefilePrivilege 4052 WMIC.exe Token: SeBackupPrivilege 4052 WMIC.exe Token: SeRestorePrivilege 4052 WMIC.exe Token: SeShutdownPrivilege 4052 WMIC.exe Token: SeDebugPrivilege 4052 WMIC.exe Token: SeSystemEnvironmentPrivilege 4052 WMIC.exe Token: SeRemoteShutdownPrivilege 4052 WMIC.exe Token: SeUndockPrivilege 4052 WMIC.exe Token: SeManageVolumePrivilege 4052 WMIC.exe Token: 33 4052 WMIC.exe Token: 34 4052 WMIC.exe Token: 35 4052 WMIC.exe Token: 36 4052 WMIC.exe Token: SeIncreaseQuotaPrivilege 4052 WMIC.exe Token: SeSecurityPrivilege 4052 WMIC.exe Token: SeTakeOwnershipPrivilege 4052 WMIC.exe Token: SeLoadDriverPrivilege 4052 WMIC.exe Token: SeSystemProfilePrivilege 4052 WMIC.exe Token: SeSystemtimePrivilege 4052 WMIC.exe Token: SeProfSingleProcessPrivilege 4052 WMIC.exe Token: SeIncBasePriorityPrivilege 4052 WMIC.exe Token: SeCreatePagefilePrivilege 4052 WMIC.exe Token: SeBackupPrivilege 4052 WMIC.exe Token: SeRestorePrivilege 4052 WMIC.exe Token: SeShutdownPrivilege 4052 WMIC.exe Token: SeDebugPrivilege 4052 WMIC.exe Token: SeSystemEnvironmentPrivilege 4052 WMIC.exe Token: SeRemoteShutdownPrivilege 4052 WMIC.exe Token: SeUndockPrivilege 4052 WMIC.exe Token: SeManageVolumePrivilege 4052 WMIC.exe Token: 33 4052 WMIC.exe Token: 34 4052 WMIC.exe Token: 35 4052 WMIC.exe Token: 36 4052 WMIC.exe Token: SeDebugPrivilege 2264 tasklist.exe Token: SeDebugPrivilege 2948 tasklist.exe Token: SeShutdownPrivilege 5020 No product name.exe Token: SeCreatePagefilePrivilege 5020 No product name.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeShutdownPrivilege 5020 No product name.exe Token: SeCreatePagefilePrivilege 5020 No product name.exe Token: SeDebugPrivilege 3540 tasklist.exe Token: SeDebugPrivilege 3624 tasklist.exe Token: SeShutdownPrivilege 5020 No product name.exe Token: SeCreatePagefilePrivilege 5020 No product name.exe Token: SeDebugPrivilege 4796 tasklist.exe Token: SeShutdownPrivilege 5020 No product name.exe Token: SeCreatePagefilePrivilege 5020 No product name.exe Token: SeShutdownPrivilege 5020 No product name.exe Token: SeCreatePagefilePrivilege 5020 No product name.exe Token: SeShutdownPrivilege 5020 No product name.exe Token: SeCreatePagefilePrivilege 5020 No product name.exe Token: SeShutdownPrivilege 5020 No product name.exe Token: SeCreatePagefilePrivilege 5020 No product name.exe Token: SeShutdownPrivilege 5020 No product name.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 4256 5020 No product name.exe 81 PID 5020 wrote to memory of 4256 5020 No product name.exe 81 PID 4256 wrote to memory of 4052 4256 cmd.exe 83 PID 4256 wrote to memory of 4052 4256 cmd.exe 83 PID 5020 wrote to memory of 1132 5020 No product name.exe 85 PID 5020 wrote to memory of 1132 5020 No product name.exe 85 PID 5020 wrote to memory of 2716 5020 No product name.exe 87 PID 5020 wrote to memory of 2716 5020 No product name.exe 87 PID 5020 wrote to memory of 2912 5020 No product name.exe 88 PID 5020 wrote to memory of 2912 5020 No product name.exe 88 PID 5020 wrote to memory of 4512 5020 No product name.exe 90 PID 5020 wrote to memory of 4512 5020 No product name.exe 90 PID 1132 wrote to memory of 2264 1132 cmd.exe 93 PID 1132 wrote to memory of 2264 1132 cmd.exe 93 PID 2716 wrote to memory of 2948 2716 cmd.exe 94 PID 2716 wrote to memory of 2948 2716 cmd.exe 94 PID 4512 wrote to memory of 556 4512 cmd.exe 95 PID 4512 wrote to memory of 556 4512 cmd.exe 95 PID 2912 wrote to memory of 4824 2912 cmd.exe 96 PID 2912 wrote to memory of 4824 2912 cmd.exe 96 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3336 5020 No product name.exe 97 PID 5020 wrote to memory of 3388 5020 No product name.exe 98 PID 5020 wrote to memory of 3388 5020 No product name.exe 98 PID 5020 wrote to memory of 3092 5020 No product name.exe 99 PID 5020 wrote to memory of 3092 5020 No product name.exe 99 PID 3092 wrote to memory of 1008 3092 cmd.exe 101 PID 3092 wrote to memory of 1008 3092 cmd.exe 101 PID 5020 wrote to memory of 1540 5020 No product name.exe 102 PID 5020 wrote to memory of 1540 5020 No product name.exe 102 PID 1540 wrote to memory of 3540 1540 cmd.exe 104 PID 1540 wrote to memory of 3540 1540 cmd.exe 104 PID 5020 wrote to memory of 1512 5020 No product name.exe 105 PID 5020 wrote to memory of 1512 5020 No product name.exe 105 PID 1512 wrote to memory of 2044 1512 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\No product name.exe"C:\Users\Admin\AppData\Local\Temp\No product name.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM EpicGamesLauncher.exe /F"2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\taskkill.exetaskkill /IM EpicGamesLauncher.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM Steam.exe /F"2⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\taskkill.exetaskkill /IM Steam.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
-
C:\Users\Admin\AppData\Local\Temp\No product name.exe"C:\Users\Admin\AppData\Local\Temp\No product name.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unitygame-setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 --field-trial-handle=1944,i,5891149597631340374,2991327089997754776,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\No product name.exe"C:\Users\Admin\AppData\Local\Temp\No product name.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unitygame-setup" --mojo-platform-channel-handle=2124 --field-trial-handle=1944,i,5891149597631340374,2991327089997754776,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"2⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\system32\where.exewhere /r . *.sqlite3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\where.exewhere /r . cookies.sqlite3⤵PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1948
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1564
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
137KB
MD504bfbfec8db966420fe4c7b85ebb506a
SHA1939bb742a354a92e1dcd3661a62d69e48030a335
SHA256da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA5124ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65