Overview

overview

10

Static

static

10

c1e76af376...d6.exe

windows7-x64

7

c1e76af376...d6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    95s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1e76af376454bab05e44634ca4e017e7607e41c9df6e067162d28064a1c7cd6.exe

  • Size

    145KB

  • MD5

    913458a5e9eb4026c62609375b534227

  • SHA1

    9739ae38effef090b3b558531e01bf2252bd018f

  • SHA256

    c1e76af376454bab05e44634ca4e017e7607e41c9df6e067162d28064a1c7cd6

  • SHA512

    5b653989cafdbd586216ccd11d243001b066b044df93478f574577f170b72a84b3831c89933c023ac458d8c2d4fb2fe4cdfcac0608806258150c3df101a79275

  • SSDEEP

    1536:DzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDXcl74OOjAp31AyNpCSV6O9xv2T:cqJogYkcSNm9V7DG98YlXjCSV6O9R2T

Score
7/10
defense_evasiondiscoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1e76af376454bab05e44634ca4e017e7607e41c9df6e067162d28064a1c7cd6.exe
    "C:\Users\Admin\AppData\Local\Temp\c1e76af376454bab05e44634ca4e017e7607e41c9df6e067162d28064a1c7cd6.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2080
    • C:\ProgramData\E919.tmp
      "C:\ProgramData\E919.tmp"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E919.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:716
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2564
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{202E41C7-E542-4302-A725-25259E55C5DA}.xps" 133768058642700000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:3840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini
      Filesize

      129B

      MD5

      4fc6c2cc67b8f5b9b788dc0d1d02c8ab

      SHA1

      7f7c54d8537f72fb9b6bf52d89105ba0e9526faa

      SHA256

      83c904564b37508ecbf91042b5be12c24f7071b521379baa35cb6dad0f22af01

      SHA512

      74914fcbc140c41efac934b95468bc707edffc4b8df7e320e701988c00ae5977a8e225d5483108dcf889e2bf7d6c2bcef84735e0bff979f45a80a647ef88f0fb

      Download Submit

    • C:\88keWj8Nu.README.txt
      Filesize

      452B

      MD5

      95568f7bd4a0e9fd9941c4921048a77c

      SHA1

      99f03265438326936abcbdfd2e1749bf4c6bbac9

      SHA256

      245f37d6b20376964f906368a6884cb7bdc5904a43500e6a7f4c1f7b54c9bf9d

      SHA512

      9991ff278e3768eb9bafaf64787b04bcaec7ef94aaff1e9a80a4e7558e35c35eb13b8fd6650e9dbfaa815b8e8e1e5a5de90e992d8b95f4eef08bde36731bae32

      Download Submit

    • C:\ProgramData\E919.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      cf07a182731fc33b2fb4b75b697e2133

      SHA1

      3fe0dd65fe0d327e348a16c3409305acd6df48e5

      SHA256

      0ed93904d60fcd074215390d49dd80819d4e9e3e6a803dffdb1dbc030dea6c30

      SHA512

      9a46aa8712228a66b6b980dc47dbb65882cbf6aa2e74fe2e7061b762e524b96308bfa296a51a7e3a83972accdc73b27e5c99a2ebf18a25d9e7b81410c5b59f7b

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      51d8a1e7f8524e5e6585967e1912b0d2

      SHA1

      be484002cf8a451e020f647978ac9130bdd0b4d8

      SHA256

      a41a086ba3b91b5c87d82479fefbb72ebf42024450703690b77a5225b0fb2443

      SHA512

      3c592997a7771565bd7d57e32dd5843ab914118a49c07381eb9c01ff65cfa34714da16cdb38bd84c98008996792d14627d209c488302d630411f9a6ccdc0837e

      Download Submit

    • memory/3840-2985-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3840-2983-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3840-2986-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3840-2987-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3840-2984-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3840-2988-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3840-2989-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4724-2966-0x0000000003370000-0x0000000003380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4724-2968-0x0000000003370000-0x0000000003380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4724-2967-0x0000000003370000-0x0000000003380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4724-2-0x0000000003370000-0x0000000003380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4724-0-0x0000000003370000-0x0000000003380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4724-1-0x0000000003370000-0x0000000003380000-memory.dmp

      Filesize

      64KB

      Download