Overview

overview

10

Static

static

10

017b236bf3...d6.exe

windows7-x64

10

05676f2007...fb.exe

windows7-x64

3

0a025116a8...57.exe

windows7-x64

8

1.exe

windows7-x64

8

18674bbd9a...38.exe

windows7-x64

8

234901adb1...b2.exe

windows7-x64

10

2ae06537d1...b6.exe

windows7-x64

8

2c02c65090...91.exe

windows7-x64

7

3.exe

windows7-x64

10

329b3ddbf1...f9.exe

windows7-x64

10

336fe6e8bc...de.exe

windows7-x64

8

4bd31921c8...be.exe

windows7-x64

8

4e180437ef...a9.exe

windows7-x64

1

539b0b5d54...05.exe

windows7-x64

10

53bf3a0bff...35.exe

windows7-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

5d63c27043...42.exe

windows7-x64

8

$PLUGINSDIR/INetC.dll

windows7-x64

3

5d6e1eeab9...84.exe

windows7-x64

8

63136e1d44...b5.exe

windows7-x64

8

658110c095...6f.exe

windows7-x64

8

74cafa4165...c5.exe

windows7-x64

8

88bf025119...30.exe

windows7-x64

5

9fbf62bd6a...a0.exe

windows7-x64

9

a89591555b...df.exe

windows7-x64

10

add230a2e7...10.exe

windows7-x64

10

c83bf900eb...31.exe

windows7-x64

10

ccbf53569b...71.exe

windows7-x64

8

db725306e6...8b.exe

windows7-x64

10

e035a1741d...5f.exe

windows7-x64

7

e2f4dfe61d...f8.exe

windows7-x64

8

f10e957b92...41.exe

windows7-x64

8

Analysis

  • max time kernel
    313s
  • max time network
    318s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe

  • Size

    107KB

  • MD5

    6c34b57397081898a8e3b3f90671afd0

  • SHA1

    9741b0ce05fe1f11c6a1b768c12960cdcfbcce8b

  • SHA256

    e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f

  • SHA512

    7d63e95295273dead2498fe97465a577dbfd9ffb4cba9e37c5306e41083f6659d8f79653e226df2f059174f56985d23b56ce699316f477e5169d975781de7be4

  • SSDEEP

    1536:tlDLR6JCLRMfXbOhHULmnPKZ61KiPlQI+2cCKNE+EkvOhEEq/D/fy:tlPOfXa+LmPK/0P+2wNgkGh1q/D/q

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 6 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe
    "C:\Users\Admin\AppData\Local\Temp\e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4341FRTB.bat" "C:\Users\Admin\AppData\Local\Temp\e035a1741d10a75402359dec278717e4e32b9d2a9ec1e1834710a2b67aa21f5f.exe""
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\taskkill.exe
        TASKkill /f /im "EpicGamesLauncher.exe" /t /fi "status eq running"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
      • C:\Windows\SysWOW64\taskkill.exe
        TASKkill /f /im "FortniteLauncher.exe" /t /fi "status eq running"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\SysWOW64\taskkill.exe
        TASKkill /f /im "FortniteClient-Win64-Shipping_BE.exe" /t /fi "status eq running"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\SysWOW64\taskkill.exe
        TASKkill /f /im "FortniteClient-Win64-Shipping.exe" /t /fi "status eq running"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\SysWOW64\taskkill.exe
        TASKkill /f /im "EasyAntiCheat.exe" /t /fi "status eq running"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\SysWOW64\reg.exe
        Reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2912
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM "EpicGamesLauncher.exe" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2628
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_USERS\S-1-5-21-2097722829-2509645790-3642206209-1001\Software\Epic Games" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2816
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4341FRTB.bat
    Filesize

    60KB

    MD5

    466a9665349fecae7f7e20b515244b48

    SHA1

    4071929bcb4b0300264b006064643ff3d9fa7f26

    SHA256

    90e254b4ed587185a92f4844c6ff4950d2b942ee93d72501127f9a250b2b886a

    SHA512

    096021b9fccf4928cf6cd6130a819e7b5009cd96d8db5d736ab4d9c5c9f8df908e2456d35aa5c295464f4b1bcb4ddbd05cf855e511aa1aada426fd91bed57a9e

    Download Submit

  • memory/2820-2-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download