Overview

overview

10

Static

static

10

OkEgjVmQ0r...yH.exe

windows7-x64

7

OkEgjVmQ0r...yH.exe

windows10-2004-x64

7

Osz8mRDYP0...iF.exe

windows7-x64

10

Osz8mRDYP0...iF.exe

windows10-2004-x64

10

rUtfalBbvX...Hx.exe

windows7-x64

9

rUtfalBbvX...Hx.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    135s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OkEgjVmQ0rPYTjBDwBy70NyH.exe

  • Size

    1.8MB

  • MD5

    53074ccaf36bc24fd4286062f0cdac98

  • SHA1

    2ca97c4d5dfacfc29d8feee90cd7de2eff651225

  • SHA256

    d654c6c1643997b6c6d8e8133e867e52c3176f3e6ed3827ea5f4e29023817115

  • SHA512

    4a47f2fad7dcf2fefb8fd4ed2714b90f13b4cfec755521db27fb131fce068168f31e1edb0d2dc7f5eb867f992063a37ce5022e7a8a894f906fc91ed1c1be6ef5

  • SSDEEP

    49152:78492ViONKb0EK/vxtzuViYcqePo2GJKFg8764CTaCowwvgv:7fDuZDHr6ctUKFj764CTa1wggv

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OkEgjVmQ0rPYTjBDwBy70NyH.exe
    "C:\Users\Admin\AppData\Local\Temp\OkEgjVmQ0rPYTjBDwBy70NyH.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\se.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\se.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c copy /Y C:\Users\Admin\AppData\Local\Google\Chrome\"User Data"\Default\Network\Cookies C:\Users\Admin\AppData\Local\Google\Chrome\"User Data"\Default\Cookies
        3⤵
          PID:4848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll
      Filesize

      554KB

      MD5

      c7a693fcffcb6c245282d1132e38ac5b

      SHA1

      8965f69c938eecb2226ad7329a9df5109d93cb8c

      SHA256

      a8102891d06b5f21c35c67e4ab26eb84f54405b67e67eaf75dadc62cef08b55a

      SHA512

      321456ae04eb392734a0aba27e965500467d58dc1277fc550b6573916607ba53c686db05219ce326fb3f9289cc4430b85990362f630e4a7829345067986ca6d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll
      Filesize

      36KB

      MD5

      d76532f224b6648179b77525326e8754

      SHA1

      cb0a90adf84b9c19e750b166789452693f031053

      SHA256

      0d8217dbb0d52a3f8cd233b089131ca19aa6e0fc0c0fb10081f3c50761f5d15e

      SHA512

      721b4f0f55fbeefa394d3471c66d32e2f0f452f9977987450b1662b8e2e9a88d1b9c014b5f2a4b378d99f6fe4de6b5810f8b00157ae25b0de2a3bf3e211ea2fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\role
      Filesize

      10B

      MD5

      0baa1de3318d435d5526a5e52b25781f

      SHA1

      0980b54b754816d311c96cc8f6ea37484e740958

      SHA256

      fc6094f4a447b5ee0615ff35f1193237e4f13f0d678f86027f0ddab2e48dfbb0

      SHA512

      d2d98859345dcfaa7a6a8b709558f4348adb8b2ea356e4126c67a98be5fc80fac3e8d2e592241b048b0be60d8ca2195a72ab21c88697727796a6d460e7fdcd43

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\se.exe
      Filesize

      1.7MB

      MD5

      7571ef964723c0fcb4d49c0d91e84be3

      SHA1

      a748b97e1e22cfeca1f1a18ed27b6bfc445648f7

      SHA256

      45dd69c56eb90b6a8fb9663d0f86c16bf3dd2eaa9e15119db8dca75247f150c3

      SHA512

      ba4fb0f9494d5ded543779ca3c2adb4be352a4f813c7287e8e35133a20a3bb80eae1ef91a64517bb83ddc17d1c9ac6aae7ba352cb708ff7975a8e87ee52b8cc5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll
      Filesize

      94KB

      MD5

      6e34fc4a713c3fbd88e47ac188d2540d

      SHA1

      1877a17da406d147566168c56aac1eb576782b37

      SHA256

      d8faf8ebf360ed0b3b1a43877a04863f7e044b3d19b641d88737e0829d683b36

      SHA512

      848a1d9602210d7da0f6e4d7817af08dc02baac7eccf1cfaadaf3a24b55e1316e77c40672a6a1195797e525f448817e534ae200e99cdf548ee64a7996fbcec4f

      Download Submit

    • memory/524-19-0x0000000140000000-0x0000000140215000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/524-27-0x0000000140000000-0x0000000140215000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/524-28-0x0000000140000000-0x0000000140215000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/524-29-0x0000000140001000-0x0000000140066000-memory.dmp

      Filesize

      404KB

      Download

    • memory/524-33-0x0000000140000000-0x0000000140215000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/524-36-0x0000000140000000-0x0000000140215000-memory.dmp

      Filesize

      2.1MB

      Download