Overview
overview
10Static
static
10017b236bf3...d6.exe
windows7-x64
1005676f2007...fb.exe
windows7-x64
30a025116a8...57.exe
windows7-x64
81.exe
windows7-x64
818674bbd9a...38.exe
windows7-x64
8234901adb1...b2.exe
windows7-x64
102ae06537d1...b6.exe
windows7-x64
82c02c65090...91.exe
windows7-x64
73.exe
windows7-x64
10329b3ddbf1...f9.exe
windows7-x64
10336fe6e8bc...de.exe
windows7-x64
84bd31921c8...be.exe
windows7-x64
84e180437ef...a9.exe
windows7-x64
1539b0b5d54...05.exe
windows7-x64
1053bf3a0bff...35.exe
windows7-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
35d63c27043...42.exe
windows7-x64
8$PLUGINSDIR/INetC.dll
windows7-x64
35d6e1eeab9...84.exe
windows7-x64
863136e1d44...b5.exe
windows7-x64
8658110c095...6f.exe
windows7-x64
874cafa4165...c5.exe
windows7-x64
888bf025119...30.exe
windows7-x64
59fbf62bd6a...a0.exe
windows7-x64
9a89591555b...df.exe
windows7-x64
10add230a2e7...10.exe
windows7-x64
10c83bf900eb...31.exe
windows7-x64
10ccbf53569b...71.exe
windows7-x64
8db725306e6...8b.exe
windows7-x64
10e035a1741d...5f.exe
windows7-x64
7e2f4dfe61d...f8.exe
windows7-x64
8f10e957b92...41.exe
windows7-x64
8Analysis
-
max time kernel
313s -
max time network
318s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:10
Behavioral task
behavioral1
Sample
017b236bf38a1cf9a52fc0bdee2d5f23f038b00f9811c8a58b8b66b1c756b8d6.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
05676f20078a7802bf07f231105f60bcfc96a20830fb79db26afa570332f97fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
0a025116a860d7568fbda8ed84925cac06b13d6441eddf7428ac79359cd09b57.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
1.exe
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
18674bbd9af6e4e7396363a4f7d72312a50514f72ee4c4ceb131738801100438.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
234901adb1100979c1e842133901f0bb8617683efeed4e3d56245f71f71aa6b2.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
2ae06537d1e90d4ac1d2bca7c6309c9d1958f3e1ae9d7625bd914b10609d41b6.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
2c02c650903a9cc289c62b83a56de001871b58531c4da3fc838a32b3b9e84291.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
3.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.exe
Resource
win7-20241023-en
Behavioral task
behavioral11
Sample
336fe6e8bcdbe46641a6124436547df8e1090d978e3777d220bfa7553c9903de.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
4bd31921c87104105a1f11a3cbe3a93bf74593220f70bf70f678d2d468c991be.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
4e180437ef807b6ded234ad54f506d0cff518c980a055013871529b5905a46a9.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
53bf3a0bfff30e863442524c66ee7ca463b473a9fef5f472b71aa7d5f8216d35.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
5d63c27043f11cd292e997fdee614389929b9af339ea45ca15159478307ce642.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
5d6e1eeab943b8b0bdb575aa61ac5353a841c402b36d9b455bb7f0cce5207b84.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
63136e1d447b73dcb7405b6c7cbfcda31c705cfccaeef0e5df98c623520abfb5.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
658110c0956289e2b829f018e2322196327e3ab022406c77b4218f963f56ba6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
74cafa416573d3b31e6b4f01e70da21aa8c11f744f784278960b728b9c6208c5.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
88bf025119fde24e63bbc878cd06f5e8631a6c5fd6b066adc6d9c28c6ca3a230.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
9fbf62bd6afa7c3269c549b3deae512634f02151f1bed92ff70038b4bf0cf2a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
c83bf900eb759e5de5c8b0697a101ce81573874a440ac07ae4ecbc56c4f69331.exe
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
ccbf53569be6ca3b092de09ee3ee854c6481e5df8925d57ee4b4d9f0631fe371.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe
Resource
win7-20241010-en
Behavioral task
behavioral31
Sample
e2f4dfe61de56a38c2218b601ee3f3e49b8dbe8ece3e9d98cdf8358b41da5ff8.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
f10e957b92fbb2bb57e0a51eeda99dedb1b0720a1be0422b53404d3252bef741.exe
Resource
win7-20240903-en
General
-
Target
e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe
-
Size
107KB
-
MD5
6c34b57397081898a8e3b3f90671afd0
-
SHA1
9741b0ce05fe1f11c6a1b768c12960cdcfbcce8b
-
SHA256
e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f
-
SHA512
7d63e95295273dead2498fe97465a577dbfd9ffb4cba9e37c5306e41083f6659d8f79653e226df2f059174f56985d23b56ce699316f477e5169d975781de7be4
-
SSDEEP
1536:tlDLR6JCLRMfXbOhHULmnPKZ61KiPlQI+2cCKNE+EkvOhEEq/D/fy:tlPOfXa+LmPK/0P+2wNgkGh1q/D/q
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Prefetch\READYB~1\READYB~1.ETL cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 6 IoCs
pid Process 2628 taskkill.exe 2252 taskkill.exe 2980 taskkill.exe 2160 taskkill.exe 1016 taskkill.exe 2764 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2252 taskkill.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 2160 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 2764 taskkill.exe Token: SeDebugPrivilege 2628 taskkill.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2348 2820 e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe 31 PID 2820 wrote to memory of 2348 2820 e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe 31 PID 2820 wrote to memory of 2348 2820 e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe 31 PID 2820 wrote to memory of 2348 2820 e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe 31 PID 2348 wrote to memory of 2252 2348 cmd.exe 32 PID 2348 wrote to memory of 2252 2348 cmd.exe 32 PID 2348 wrote to memory of 2252 2348 cmd.exe 32 PID 2348 wrote to memory of 2252 2348 cmd.exe 32 PID 2348 wrote to memory of 2980 2348 cmd.exe 34 PID 2348 wrote to memory of 2980 2348 cmd.exe 34 PID 2348 wrote to memory of 2980 2348 cmd.exe 34 PID 2348 wrote to memory of 2980 2348 cmd.exe 34 PID 2348 wrote to memory of 2160 2348 cmd.exe 35 PID 2348 wrote to memory of 2160 2348 cmd.exe 35 PID 2348 wrote to memory of 2160 2348 cmd.exe 35 PID 2348 wrote to memory of 2160 2348 cmd.exe 35 PID 2348 wrote to memory of 1016 2348 cmd.exe 36 PID 2348 wrote to memory of 1016 2348 cmd.exe 36 PID 2348 wrote to memory of 1016 2348 cmd.exe 36 PID 2348 wrote to memory of 1016 2348 cmd.exe 36 PID 2348 wrote to memory of 2764 2348 cmd.exe 37 PID 2348 wrote to memory of 2764 2348 cmd.exe 37 PID 2348 wrote to memory of 2764 2348 cmd.exe 37 PID 2348 wrote to memory of 2764 2348 cmd.exe 37 PID 2348 wrote to memory of 2912 2348 cmd.exe 38 PID 2348 wrote to memory of 2912 2348 cmd.exe 38 PID 2348 wrote to memory of 2912 2348 cmd.exe 38 PID 2348 wrote to memory of 2912 2348 cmd.exe 38 PID 2348 wrote to memory of 2628 2348 cmd.exe 39 PID 2348 wrote to memory of 2628 2348 cmd.exe 39 PID 2348 wrote to memory of 2628 2348 cmd.exe 39 PID 2348 wrote to memory of 2628 2348 cmd.exe 39 PID 2348 wrote to memory of 2816 2348 cmd.exe 40 PID 2348 wrote to memory of 2816 2348 cmd.exe 40 PID 2348 wrote to memory of 2816 2348 cmd.exe 40 PID 2348 wrote to memory of 2816 2348 cmd.exe 40 PID 2348 wrote to memory of 2588 2348 cmd.exe 41 PID 2348 wrote to memory of 2588 2348 cmd.exe 41 PID 2348 wrote to memory of 2588 2348 cmd.exe 41 PID 2348 wrote to memory of 2588 2348 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe"C:\Users\Admin\AppData\Local\Temp\e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4341FRTB.bat" "C:\Users\Admin\AppData\Local\Temp\e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe""2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\taskkill.exeTASKkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\SysWOW64\taskkill.exeTASKkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\taskkill.exeTASKkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\SysWOW64\taskkill.exeTASKkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\SysWOW64\taskkill.exeTASKkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\SysWOW64\reg.exeReg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "EpicGamesLauncher.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f3⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5466a9665349fecae7f7e20b515244b48
SHA14071929bcb4b0300264b006064643ff3d9fa7f26
SHA25690e254b4ed587185a92f4844c6ff4950d2b942ee93d72501127f9a250b2b886a
SHA512096021b9fccf4928cf6cd6130a819e7b5009cd96d8db5d736ab4d9c5c9f8df908e2456d35aa5c295464f4b1bcb4ddbd05cf855e511aa1aada426fd91bed57a9e