Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:46

General

  • Target

    2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe

  • Size

    149KB

  • MD5

    7b104c571efba855a2e0ef211450fdac

  • SHA1

    eaf61901c6e2e148c5e089a52cc2606217a41cfa

  • SHA256

    2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291

  • SHA512

    92263ffc40fc03c51c5e4b48a9a813721ce80353674979213fae27b49f7b420d5bb35817232069030b812d9dfc44fd23b4fce3186feaa874ae6c8dd853ce69c6

  • SSDEEP

    3072:R3FfHgTWmCRkGbKGLeNTBfn+TwnDqKBtv/p50oUJiTZxt09W96NXP:J5aWbksiNTB/+Twn2KP/pOS+y2

Malware Config

Signatures

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
    "C:\Users\Admin\AppData\Local\Temp\2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C477.tmp\C478.tmp\C479.bat C:\Users\Admin\AppData\Local\Temp\2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\system32\taskkill.exe
        TASKkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
      • C:\Windows\system32\taskkill.exe
        TASKkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2404
      • C:\Windows\system32\taskkill.exe
        TASKkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2140
      • C:\Windows\system32\taskkill.exe
        TASKkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
      • C:\Windows\system32\taskkill.exe
        TASKkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\Windows\system32\reg.exe
        Reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        3⤵
          PID:2804
        • C:\Windows\system32\taskkill.exe
          taskkill /IM "EpicGamesLauncher.exe" /F
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2824
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
          3⤵
            PID:2852
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
            3⤵
              PID:2440

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\C477.tmp\C478.tmp\C479.bat

          Filesize

          60KB

          MD5

          1519d1a8abbd449508bb9b092e8128df

          SHA1

          e60bfadccb8447592b47c0a22b4666faefe38308

          SHA256

          f3494881dbf580b7e05437eb564ea79f2cafb0e3a83d1e82aa0e4f9a1ca6a73b

          SHA512

          d8ef4b61824a9cb718bd97972ec03bc6abe21fa7bb95d941a16219034399aed4d13b1fbb0bb8786fe213f65b17e5203e6d1f7254119e2e94cd909b8a09556d52