Analysis
-
max time kernel
103s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
02/04/2025, 06:59
General
-
Target
9ccfdd44ee5fede8d813441081c37054.exe
-
Size
1.2MB
-
MD5
9ccfdd44ee5fede8d813441081c37054
-
SHA1
645baedccb045294e5e00e8632316c8d0e349bdc
-
SHA256
da4d4bdb72382261383f2b08e86cb670a2ca99acef22c5866187371ec537ba91
-
SHA512
79f68ee36c42d4d68af62e42cf5c9b7d420c18d7bdca09fb7d40784cf3b95caed41798b47b04e783fdbdff169046ea1bca329ca876a97a663116f385b0271344
-
SSDEEP
24576:tHjTwpzGkqDZBI6JNwsqG5nDCsGf5Qa9u+aasbWgxU:RjTwpzGLq6JPDCsGh2r
Malware Config
Signatures
-
Downloads MZ/PE file 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ccfdd44ee5fede8d813441081c37054.exe"C:\Users\Admin\AppData\Local\Temp\9ccfdd44ee5fede8d813441081c37054.exe"1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp_21726.exe"C:\Users\Admin\AppData\Local\Temp\temp_21726.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_21726.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp_21726.exeC:\Users\Admin\AppData\Local\Temp\temp_21726.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Winserv\winserv.exeC:\Users\Admin\AppData\Roaming\Winserv\winserv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5b465fe08eecbb39eede010ea5421713d
SHA1e5bd8a6df7d3fc131fd187a63bfa2b8871339c35
SHA25629434420cea781d7991bf0f4e2e76eeab5de07676c4d40bc3072108447bea77a
SHA512fa81d685963d6aec228b3c01e96a9840beca9d1078ad5aecfaea6b4fc4d64a5b9776ecfe70b03be9acc3df0e356721de780767bc45779cf5a9f76d84c9e195fc
-
Filesize
177KB
MD5a84b1c3b52cca1e711f6ab96b6cab2b2
SHA1952516e5427aed05cd12c3007d45cdc46e2e1c64
SHA256e77bd161308fe005519f0ac053698ca7e05a76a0fc1e6e2b9f569a1a2c080488
SHA512fbca24489be96883f45929d815c72944b9983f7c6a6cf50c894c3d30428d98c0307f182648508d76cd036a6fc1b8780b1a3d3927e95a627d0772365ad553b55c