400c24bdb9b7dabfcd9a8a2f137550f338014d833d169c6e6f4252910fb95feb

Analysis

max time kernel
103s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c94b545313da9045688c2829942864.exe
Size

490KB
MD5

a2c94b545313da9045688c2829942864
SHA1

58e891fef526b56e14e9a00410314f29ed2adbf2
SHA256

3d0625dd449a820fe8bcc1d9d941ebf7ca64e8ada2f2dda1493e31fad8f9ce67
SHA512

11a76466143dcd1b0e075c1ceb43eac72910e423807f2da5e35071e207d2fdec312156ea36aacd6f72865adc4e69de549cc48185282c7c5b7803aeb27c5e7b09
SSDEEP

6144:Y/bEd8CMqRmP+lFxOKKIrX4svtTGUrsQsKE9khDf5Wgy0R/E2Sq1eYh8IvA:OevMqwWlDmHQJ5HyaEDq5iIvA

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	a2c94b545313da9045688c2829942864.exe

Executes dropped EXE 1 IoCs

pid	Process
1532	Chrome_boostrap.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe	a2c94b545313da9045688c2829942864.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a2c94b545313da9045688c2829942864.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a2c94b545313da9045688c2829942864.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe
4432	a2c94b545313da9045688c2829942864.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4432	a2c94b545313da9045688c2829942864.exe
Token: SeDebugPrivilege	4432	a2c94b545313da9045688c2829942864.exe
Token: SeDebugPrivilege	4432	a2c94b545313da9045688c2829942864.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 1532	4432	a2c94b545313da9045688c2829942864.exe	88
PID 4432 wrote to memory of 1532	4432	a2c94b545313da9045688c2829942864.exe	88

C:\Users\Admin\AppData\Local\Temp\a2c94b545313da9045688c2829942864.exe
"C:\Users\Admin\AppData\Local\Temp\a2c94b545313da9045688c2829942864.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
  "C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe"
  2⤵
  - Executes dropped EXE
  PID:1532

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe

Filesize
37KB

MD5
af69d667761ef87674be3d231a0ae0e6

SHA1
a938c72cfd162d097391d3f53f0097fda5a9543f

SHA256
55b2905b08f0715379db90291712363f16a80b3bfb33513012cb9ac7cbff4343

SHA512
32a1994162bb873da35f99816b8740b61e8f9b5a3e22e4aa19704848b4760208f23989f174822669a3105719647c3db9145ae0a227cf41d967d50935da66c4ab

Download Submit
C:\Windows\Temp\Log_SystemCLS.txt

Filesize
44B

MD5
b40c2af76689ed7dbb384575ecf7f46e

SHA1
8cf4491f0263c3124d320dddb737b27401d00d40

SHA256
f8c77bc67a211ae8379427b72f02fe0910e0a02f857d162bc43153b09b090909

SHA512
0836e0636ce268169cc61fc9af3f33a890cf10f541827e554877b2c60468fef3db2b4d92689768e9de194762d74f67e0db8a2b6f3276293cc187c835cee5f946

Download Submit
memory/4432-0-0x00007FF80D2E3000-0x00007FF80D2E5000-memory.dmp

Filesize
8KB

Download
memory/4432-1-0x000002B0E3E80000-0x000002B0E3F00000-memory.dmp

Filesize
512KB

Download
memory/4432-2-0x000002B0FE580000-0x000002B0FE742000-memory.dmp

Filesize
1.8MB

Download
memory/4432-3-0x000002B0E43B0000-0x000002B0E4426000-memory.dmp

Filesize
472KB

Download
memory/4432-5-0x000002B0E4330000-0x000002B0E4380000-memory.dmp

Filesize
320KB

Download
memory/4432-6-0x00007FF80D2E0000-0x00007FF80DDA1000-memory.dmp

Filesize
10.8MB

Download
memory/4432-16-0x000002B080850000-0x000002B080D78000-memory.dmp

Filesize
5.2MB

Download
memory/4432-17-0x000002B0E42B0000-0x000002B0E42C2000-memory.dmp

Filesize
72KB

Download
memory/4432-18-0x000002B0E42D0000-0x000002B0E42EE000-memory.dmp

Filesize
120KB

Download
memory/4432-20-0x00007FF80D2E0000-0x00007FF80DDA1000-memory.dmp

Filesize
10.8MB

Download