Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 00:26

General

  • Target

    da0b1a9babfe52ac7137d1000dcf2ccdc6f8a1c48dd906c0e2f62289030f46c3.exe

  • Size

    17KB

  • MD5

    861e1965afa27f2f2f22afc212d73cfc

  • SHA1

    c03580f7f384182434a31aa20294ba977904cae5

  • SHA256

    da0b1a9babfe52ac7137d1000dcf2ccdc6f8a1c48dd906c0e2f62289030f46c3

  • SHA512

    8f5bebcd9ccaa7b16546e3329e48569fab2ba6df4c5789ce848b4d0b3f28e4f226ab7abaf5e4b0ee97af4245a0305ceac17f25fb8901d4ae578af86106c11eeb

  • SSDEEP

    384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/wB:IMAQ+BzWPEwnE+KHM2/wB

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da0b1a9babfe52ac7137d1000dcf2ccdc6f8a1c48dd906c0e2f62289030f46c3.exe
    "C:\Users\Admin\AppData\Local\Temp\da0b1a9babfe52ac7137d1000dcf2ccdc6f8a1c48dd906c0e2f62289030f46c3.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aeEhMEFJF8Oh6Jj.exe

    Filesize

    17KB

    MD5

    a3c761a169ee98daeaabbcfd60b8a168

    SHA1

    cb28a8711a7d99be7ae3fdfff4782792ba840954

    SHA256

    763c202f89a2ecedd709f29faf5836d3ab663a4434539f0a8a8845bbfac1bb90

    SHA512

    2c87ec83352e4d1f17660d5f98529f74a93331e5f477ff580de49d7f27817c29c8536ac9f40248cdd87fc06fae241ec43f12862681d431786ed9a569b6485699

  • C:\Windows\svhost.exe

    Filesize

    16KB

    MD5

    76fd02b48297edb28940bdfa3fa1c48a

    SHA1

    bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

    SHA256

    07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

    SHA512

    28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0