Overview
overview
10Static
static
10017b236bf3...d6.exe
windows7-x64
10017b236bf3...d6.exe
windows10-2004-x64
1005676f2007...fb.exe
windows7-x64
305676f2007...fb.exe
windows10-2004-x64
70a025116a8...57.exe
windows7-x64
80a025116a8...57.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
31.exe
windows7-x64
81.exe
windows10-2004-x64
818674bbd9a...38.exe
windows7-x64
818674bbd9a...38.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3234901adb1...b2.exe
windows7-x64
10234901adb1...b2.exe
windows10-2004-x64
102ae06537d1...b6.exe
windows7-x64
82ae06537d1...b6.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
32c02c65090...91.exe
windows7-x64
72c02c65090...91.exe
windows10-2004-x64
73.exe
windows7-x64
103.exe
windows10-2004-x64
10329b3ddbf1...f9.exe
windows7-x64
10329b3ddbf1...f9.exe
windows10-2004-x64
10336fe6e8bc...de.exe
windows7-x64
8336fe6e8bc...de.exe
windows10-2004-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
34bd31921c8...be.exe
windows7-x64
84bd31921c8...be.exe
windows10-2004-x64
8Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:46
Behavioral task
behavioral1
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
3.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win10v2004-20241007-en
General
-
Target
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
-
Size
149KB
-
MD5
7b104c571efba855a2e0ef211450fdac
-
SHA1
eaf61901c6e2e148c5e089a52cc2606217a41cfa
-
SHA256
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291
-
SHA512
92263ffc40fc03c51c5e4b48a9a813721ce80353674979213fae27b49f7b420d5bb35817232069030b812d9dfc44fd23b4fce3186feaa874ae6c8dd853ce69c6
-
SSDEEP
3072:R3FfHgTWmCRkGbKGLeNTBfn+TwnDqKBtv/p50oUJiTZxt09W96NXP:J5aWbksiNTB/+Twn2KP/pOS+y2
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Prefetch\READYB~1\READYB~1.ETL cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe -
Kills process with taskkill 6 IoCs
pid Process 2404 taskkill.exe 2140 taskkill.exe 1272 taskkill.exe 2736 taskkill.exe 2824 taskkill.exe 2268 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 2404 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 1272 taskkill.exe Token: SeDebugPrivilege 2736 taskkill.exe Token: SeDebugPrivilege 2824 taskkill.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2156 wrote to memory of 816 2156 2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe 31 PID 2156 wrote to memory of 816 2156 2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe 31 PID 2156 wrote to memory of 816 2156 2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe 31 PID 2156 wrote to memory of 816 2156 2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe 31 PID 816 wrote to memory of 2268 816 cmd.exe 32 PID 816 wrote to memory of 2268 816 cmd.exe 32 PID 816 wrote to memory of 2268 816 cmd.exe 32 PID 816 wrote to memory of 2404 816 cmd.exe 34 PID 816 wrote to memory of 2404 816 cmd.exe 34 PID 816 wrote to memory of 2404 816 cmd.exe 34 PID 816 wrote to memory of 2140 816 cmd.exe 35 PID 816 wrote to memory of 2140 816 cmd.exe 35 PID 816 wrote to memory of 2140 816 cmd.exe 35 PID 816 wrote to memory of 1272 816 cmd.exe 36 PID 816 wrote to memory of 1272 816 cmd.exe 36 PID 816 wrote to memory of 1272 816 cmd.exe 36 PID 816 wrote to memory of 2736 816 cmd.exe 37 PID 816 wrote to memory of 2736 816 cmd.exe 37 PID 816 wrote to memory of 2736 816 cmd.exe 37 PID 816 wrote to memory of 2804 816 cmd.exe 38 PID 816 wrote to memory of 2804 816 cmd.exe 38 PID 816 wrote to memory of 2804 816 cmd.exe 38 PID 816 wrote to memory of 2824 816 cmd.exe 39 PID 816 wrote to memory of 2824 816 cmd.exe 39 PID 816 wrote to memory of 2824 816 cmd.exe 39 PID 816 wrote to memory of 2852 816 cmd.exe 40 PID 816 wrote to memory of 2852 816 cmd.exe 40 PID 816 wrote to memory of 2852 816 cmd.exe 40 PID 816 wrote to memory of 2440 816 cmd.exe 41 PID 816 wrote to memory of 2440 816 cmd.exe 41 PID 816 wrote to memory of 2440 816 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe"C:\Users\Admin\AppData\Local\Temp\2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C477.tmp\C478.tmp\C479.bat C:\Users\Admin\AppData\Local\Temp\2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\system32\taskkill.exeTASKkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\system32\taskkill.exeTASKkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\system32\taskkill.exeTASKkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\system32\taskkill.exeTASKkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\system32\taskkill.exeTASKkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\system32\reg.exeReg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:2804
-
-
C:\Windows\system32\taskkill.exetaskkill /IM "EpicGamesLauncher.exe" /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f3⤵PID:2852
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:2440
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD51519d1a8abbd449508bb9b092e8128df
SHA1e60bfadccb8447592b47c0a22b4666faefe38308
SHA256f3494881dbf580b7e05437eb564ea79f2cafb0e3a83d1e82aa0e4f9a1ca6a73b
SHA512d8ef4b61824a9cb718bd97972ec03bc6abe21fa7bb95d941a16219034399aed4d13b1fbb0bb8786fe213f65b17e5203e6d1f7254119e2e94cd909b8a09556d52