Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe
Resource
win10v2004-20241007-en
General
-
Target
c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe
-
Size
87KB
-
MD5
a57c45b26f0a0cdf85cb3949ecb7bfe7
-
SHA1
e9bdede6e557771f543d5ba0f8be63a032fb82db
-
SHA256
c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d
-
SHA512
0ca7f5c07ceea2de9ce1bd623dae99f0cca1c9b07e1914ee6fc9cc792cddf8bfddc00c420ad82d20b0729585e7ee785b24842688fce16ccfe62b08fea6764efb
-
SSDEEP
96:J0J/2lk+rks4oc2SQyvn8Aerb25H4wYjHQjqQfmKrWVYogz3AsllaseFUSUYrgto:J82kZwctUAQS5YhjQq+WV92pTyG6
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1624 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Mail\RCX8D22.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB887.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX82CE.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX8453.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCX926D.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jre7\bin\RCX8845.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB6D9.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB7A7.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jre7\bin\RCX87E1.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\RCX8A8C.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Windows Media Player\RCXC63B.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX911C.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB955.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCXC71A.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Mozilla Firefox\RCX8B22.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Media Player\RCX8D94.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX8454.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\RCX8A6C.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB275.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX804C.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\VideoLAN\VLC\RCX8C7F.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB617.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Defender\RCX8CC0.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Sidebar\RCX90A9.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\7-Zip\RCX7DED.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX8624.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX857C.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX827B.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RCX84DA.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Media Player\RCX8D52.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RCXB975.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Mail\wab.exe c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe File opened for modification C:\Program Files\Windows Media Player\RCX8DE6.tmp c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 564 c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 564 wrote to memory of 1624 564 c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe 34 PID 564 wrote to memory of 1624 564 c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe 34 PID 564 wrote to memory of 1624 564 c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe 34 PID 564 wrote to memory of 1624 564 c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe"C:\Users\Admin\AppData\Local\Temp\c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C500CC~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1624
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5628256fb90802533d3595b7554a5268c
SHA168e81300ded4bc1aa46fb2b0680bea340b86f81a
SHA2562bdd36918c7108a68961ba40adeb8cdeded04a9a8222f54570f463395ae52f33
SHA512c43beb59577fd3ceeb7410e02378cafc7ed6fbcaa71247ca930a9051c0e195ffbc631932f7ecead23c8fb9a91d083e38437c15cef075dd619f6e1cab8e57b758
-
Filesize
23KB
MD5f5b8ffa3f05510cf5ea4ee1f6ce4d50a
SHA1b299149a6947186345854b633c552cb89de7bc7c
SHA25653a5586481aed4fbc3630bfeac398ad1d3377e1412cde4c235a70268ffd329b4
SHA51275a3c1b6c76ce7943bff0afe14c9cea9e229a832f522ecb001213a26b46b1c23a848398a3f8d0b4f0d69c88a168b4bc920d2beb566a332036d47e103e2f3e229
-
Filesize
188KB
MD5aa4d845ab30fbe40afd871c56e6d5660
SHA169e815ab37526d044bf8d9dcbdecdfa7c95baf07
SHA2562c51345f8b37e2d367be58b8a75a1fbb45cbe8e870d0e48a1d292ad304bb082b
SHA51204dc9a5e1c4b5a8d2cd62a0187e7accb44bef787ae25e0ceebf7ddde7e2088f72781252f2009d2fa494b7d67f49765c041bc00e10e3bc6d9209cd2d8c1a9ca43
-
Filesize
136KB
MD5a0d66ebd7227d1304ad9f66d7512dd8a
SHA1f34f2bcb2cd42d0fb93cf3117a5ba745a1ef97b2
SHA2567b5b7e87158bfa47a74260190cf3f664f10df842f70d8e5a16d90e3662a8205f
SHA512c2228afd2b377dfe0baae0e4c6827f8da1c403ad48a8c32b9c32c30c45227d88c85408959ade264f5765e36b32133b1577251585a9833a3ee3927cac31c68aa6
-
Filesize
9KB
MD5fc80202a8fc434099a9449b2a14c2d75
SHA19ca544e9bd5f4bfd84e9b769a9adeea8c86d2555
SHA256d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51
SHA51298292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4