Analysis
-
max time kernel
79s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 18:38
Static task
static1
General
-
Target
a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe
-
Size
1.1MB
-
MD5
66310e73ba135067af9453c699a4c694
-
SHA1
330a52436c0294d2ead08f7b86b9091591f55878
-
SHA256
a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177
-
SHA512
4893113b6fdf875b399fee26ca7153951fa5f84434e5de6504d5645657e9b8396efcdc72889dcc78ed49149434aa13e27006ea7855339f289e06781a7f20d49a
-
SSDEEP
24576:BEqS1t2qh4zwnOd30BQuO883eB/qeV5WYeXEncWFtDxk4rk:Gd6EYr88O9TDncWNk4rk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe -
Executes dropped EXE 2 IoCs
pid Process 4476 Hepatitis.pif 1488 RegAsm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2600 tasklist.exe 536 tasklist.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\RabbitChampion a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe File opened for modification C:\Windows\PersonalityStockholm a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe File opened for modification C:\Windows\NickPhrases a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe File opened for modification C:\Windows\ParentsImplications a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe File opened for modification C:\Windows\DisagreeTruck a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe File opened for modification C:\Windows\DatesShortcuts a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe File opened for modification C:\Windows\SaverThrow a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepatitis.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif 1488 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2600 tasklist.exe Token: SeDebugPrivilege 536 tasklist.exe Token: SeBackupPrivilege 1488 RegAsm.exe Token: SeSecurityPrivilege 1488 RegAsm.exe Token: SeSecurityPrivilege 1488 RegAsm.exe Token: SeSecurityPrivilege 1488 RegAsm.exe Token: SeSecurityPrivilege 1488 RegAsm.exe Token: SeDebugPrivilege 1488 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4476 Hepatitis.pif 4476 Hepatitis.pif 4476 Hepatitis.pif -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4868 wrote to memory of 2912 4868 a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe 87 PID 4868 wrote to memory of 2912 4868 a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe 87 PID 4868 wrote to memory of 2912 4868 a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe 87 PID 2912 wrote to memory of 2600 2912 cmd.exe 89 PID 2912 wrote to memory of 2600 2912 cmd.exe 89 PID 2912 wrote to memory of 2600 2912 cmd.exe 89 PID 2912 wrote to memory of 3416 2912 cmd.exe 90 PID 2912 wrote to memory of 3416 2912 cmd.exe 90 PID 2912 wrote to memory of 3416 2912 cmd.exe 90 PID 2912 wrote to memory of 536 2912 cmd.exe 92 PID 2912 wrote to memory of 536 2912 cmd.exe 92 PID 2912 wrote to memory of 536 2912 cmd.exe 92 PID 2912 wrote to memory of 2660 2912 cmd.exe 93 PID 2912 wrote to memory of 2660 2912 cmd.exe 93 PID 2912 wrote to memory of 2660 2912 cmd.exe 93 PID 2912 wrote to memory of 4580 2912 cmd.exe 94 PID 2912 wrote to memory of 4580 2912 cmd.exe 94 PID 2912 wrote to memory of 4580 2912 cmd.exe 94 PID 2912 wrote to memory of 1132 2912 cmd.exe 95 PID 2912 wrote to memory of 1132 2912 cmd.exe 95 PID 2912 wrote to memory of 1132 2912 cmd.exe 95 PID 2912 wrote to memory of 3016 2912 cmd.exe 96 PID 2912 wrote to memory of 3016 2912 cmd.exe 96 PID 2912 wrote to memory of 3016 2912 cmd.exe 96 PID 2912 wrote to memory of 4476 2912 cmd.exe 97 PID 2912 wrote to memory of 4476 2912 cmd.exe 97 PID 2912 wrote to memory of 4476 2912 cmd.exe 97 PID 2912 wrote to memory of 948 2912 cmd.exe 98 PID 2912 wrote to memory of 948 2912 cmd.exe 98 PID 2912 wrote to memory of 948 2912 cmd.exe 98 PID 4476 wrote to memory of 1488 4476 Hepatitis.pif 99 PID 4476 wrote to memory of 1488 4476 Hepatitis.pif 99 PID 4476 wrote to memory of 1488 4476 Hepatitis.pif 99 PID 4476 wrote to memory of 1488 4476 Hepatitis.pif 99 PID 4476 wrote to memory of 1488 4476 Hepatitis.pif 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe"C:\Users\Admin\AppData\Local\Temp\a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Boats Boats.bat & Boats.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:3416
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7676443⤵
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MinsSlutsCompensationBest" Sexuality3⤵
- System Location Discovery: System Language Discovery
PID:1132
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Investment + ..\Collectibles + ..\Usr + ..\Tell + ..\Maintain + ..\Arms + ..\Essay + ..\Having J3⤵
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\767644\Hepatitis.pifHepatitis.pif J3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:948
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
623KB
MD5d0f8204072b82e078833bf1727c85881
SHA10b93c822a97dc8f1ce1957cda4eaf25cfe9e416f
SHA2563341c28fa5ec43f8dd6444e072c653ab814c773caf13c1f1dc838a09d3cc3999
SHA512d0cb90bc5f15268581aeb79d1375d81602b886cf82686e9885d7260d62ff3a66f1281be4852572aecda2b63726187ab3faea2d10b30e8f2ae3c85d3d26abf097
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
79KB
MD50c32b9d39a642771c955215f14cd8e21
SHA1078e15f9c344525b61c8fdab81821ddc9181cd18
SHA256ea0d58d4bc3341422368e5b6259153c05cbeb0c7f3439771ddbe94900d319030
SHA512cb71c50791503c50427e409a151b20076f0a6be70a4565c40c27c25289e7e5c75af702dd3847afe5c34c8609e971af10ac164d3958d8ee5f0f7ce2fb0cbab0d6
-
Filesize
16KB
MD59d42197cdf269de306f38af0f0641ef1
SHA178e91ac01fe71e4ee1e2dfe2147d1e7a6647acb5
SHA256c2bb7f9586469b1b703fa67664625705512b1f4c98d10589356c2623dad28d0d
SHA512c09fd69e2d3554b0a611085ff99627de1b5b2cdf6fdc7bc1b7012dc19a59af4fbfcea1c3e9b2925228ff27e60a7385cac532f8eb4a6be0bdd6f74307bebdc76e
-
Filesize
95KB
MD50d394eb8840f0d8dea95f2b956dc1038
SHA160ceef3d8abd63ad50b1e78e495b9be4a7726160
SHA2560f8f3828320274f8e23144a4841f0c0564ee11034a5b9630bcb6a467acff6870
SHA51274cd2956e13a5541a00b82b732d4ca1a1f180ad0521a2b3d7a0b889cdcf35a65632e7eb4db408be28f505e05abcb711ea0ea3a83d5517ca5a514f2d5b4d2e191
-
Filesize
78KB
MD5517ee413f681d536ad909779d659edb5
SHA1092a92b7cb072a7e80bb176a884cf434074cf7bf
SHA25644ac6b3f22b65c71411027f5dea8bb4712baff0a59765e95e739e0a692fe8e95
SHA512345dbdaeb7770c3a4b1c71a4ebdd0f2fe9793e036e36c51c1b074c773d689df7651aa34f368512e1afc2484591de4f238624a6f9ee2756fc39ca4b58b366a4c7
-
Filesize
29KB
MD5e4f0d47e34d39d6621e2f51972ef5033
SHA1e9365bccc76c187862d71cc26d7063e8dbd80d2b
SHA2567438e5d0e5f29dd25fe9ff2e19dc80763261d7cd7e26526419a75bb4fb845069
SHA512ddeae387a0591ff79f45086eb2816ed45293fd7d77da3d1e797759f1a3a0e08118dad51fad02306b27e8611492fee605fe901f2d1e9fe792a8d38e5d68d01f3a
-
Filesize
74KB
MD591debba345821583a96eaf0dc2602488
SHA16a8f5ee33eaa8cb6a4442b040440f3276058fa23
SHA2569c517f91c3bb4050831893114b50cf2d45c275d26b6cb62693eb2c4c117fc986
SHA512faed5051460518e78fb409708d458a3eeb14f5b70480a8613b72b7d95fd1f0a124ee2487081d93d39da7e8f4df4801137edfc9d737c16dc43626092d6f395fe1
-
Filesize
89KB
MD5fc06001223188daec0ebec3fd58281a5
SHA167e38a55320148dfcb0e9a794159611c9fc54392
SHA256ed902227489a535235df6c66fa77603444cb06b1bb1964bb25ba9925ed328576
SHA5120c7380beded918d828874f12d1a8705e62ddd9dc31b958b6309a53b4cb1fa682ffaa391147e27d9953ce03f590feac1bb1770a1abbb37e5d3289ac8e5f4a9cc5
-
Filesize
5KB
MD531091bdd4ac25ac99657ba80ecd99b58
SHA1f0ac4b8914d99395d10b7fcf3593fea104312a52
SHA256c99d10219cf197e96810af6a10905be622508623cb67a902006189e264afbe79
SHA512850f1b201f2e595ca8dec674b58bbbf37141637588c20db660f5ea599d745d4e19a032a98fa78b09c20b83a57f623f59b98b10c7b1a8b25e1f1fa1beb44898d1
-
Filesize
99KB
MD5bf47de0749063bb5cdf6101792af5076
SHA1be1082bc1d75aabb97c27a1c2e8e1d985ef1843b
SHA256c4c7cdd21ed46fc747c7034467e1006da9546394239a02cfaa0a00ac910f4e86
SHA512ed04899dbf30df8fa6379cd3165956187a918bc00228000074879adcaa29a9d98aa112f9d462993f38023a3d101fd2b973a2df6a745652e1713be48ddd02255f
-
Filesize
80KB
MD5c1202143072b2a8542f95275ec0598b2
SHA16481c289fde305555107ecb5d9922bebe5205d93
SHA256ded71dd2b5a8500aea48c65c9e3154404f9b13c13af60a83831154917f3944ce
SHA5125931e36e5fe9b6d8bebe9ab0fb28a5290a0800a44f94629789867c720068b1994852c143baf7e4f5898cfdecfa77cdc4d4c5abb22c6bb0dec04a29f864253616
-
Filesize
866KB
MD53b0fd8a40177d6fc4dcb502b414ade5a
SHA13c4cb556b86ab7932372665480ec4f3ddfce3a93
SHA256a43f4500ef17e216a54a979d265d0825831ce7f4029931efa2a2b863d006261a
SHA51225627124d4ed74d6ef342bbada876b9cadf5ce470438b0a9265a26d8eb3763847de9a1595c0b7700bf65faf7114de92f979f250c9c4b451d1f7860eda3a576a6