Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 13:42

General

  • Target

    0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe

  • Size

    1.9MB

  • MD5

    1a00962a3bc0e60b54732a8ce83dc9d0

  • SHA1

    d02fddcc0df8892d2a7094b25fa0942864c96b0b

  • SHA256

    0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688

  • SHA512

    419c1a89c9bd393835737b62b68709de0e643107bf0121400765f53c28efbc41879d3a7eb1dabf90b95bddb5042e17bf70f3269285139761719cd9c1b705c5d0

  • SSDEEP

    49152:/H92yv4VrRHYlArPlrl/ohdTUzBEoe1CEEoe1CZ:/F4VFFJEoeNEoeM

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe
    "C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\eqs89B9.tmp
      "C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2540

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

          Filesize

          1.6MB

          MD5

          fc7c9842c50e9d54032ab7fa6b0b772a

          SHA1

          fa7f39bcc95e9715b24e57df1dda1fee30cddb08

          SHA256

          4e699d4a0d0cef1b1a3d72fdedc81838db8c8e9f860c4f04b828c3c747ba7faf

          SHA512

          483005bcac23dd0b76339a67166e4a6017b62fc4618848dd718292a1bd498fd3ce57c9f5a423fe905f4a6ea4216562895b0c17204d7f904b42db83286b5662b0

        • C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RCXE52D.tmp

          Filesize

          12KB

          MD5

          ece241325773b09034e036965aff6aa9

          SHA1

          2dea95ca66c980c0f3c5139c9493f7613a0b6d49

          SHA256

          199a8e6acfe3945eeaf145276a95641d7d9241f4afc9f2bbbc7f37827a28eb95

          SHA512

          af5a94c0b1dba53f6c4d96f31c0f2ed7cdca5f5b226ca97f6a79b0080dcd13cd1645dc62cc8917e250ed5a0feba833f2aa53795e7d3d6216cc00175b5fac026d

        • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

          Filesize

          159KB

          MD5

          2c5f6b0f7a4fcfb1628f3d7f7f83e783

          SHA1

          4e9f45a29a4d288bad02f32e9135bd8670ade666

          SHA256

          3da3f7cdf2f24eaf4c644d3ef12043409d6b820251cbaaf9b810761ae7051b5c

          SHA512

          42e83012c5e564a10338d80b3c02bf322f47c16d5cedb30400ab99015457a1484819465077a84db4c5f2250d6dc68b1813f630127e06f4fc95e6fe18a37e9fa9

        • C:\Program Files\7-Zip\RCXDD4C.tmp

          Filesize

          12KB

          MD5

          31ca51862b31bcf129556d16f467af09

          SHA1

          5a211b99259a8b98aba5b281f57d2dbd6cf3325f

          SHA256

          c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c

          SHA512

          ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f

        • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\RCXF10E.tmp

          Filesize

          16KB

          MD5

          e6f438d111bf7a34a1a4d6fadbbf3b18

          SHA1

          e229f19e2a11b6dac111f118794f236e319b69dc

          SHA256

          07dd9e527307701c313d267fbe83d43a30899c91401951140f58b4d736d63f48

          SHA512

          54e161a041d00f0eabfbdcfa1e5254a16081186e9e87684e094dc303f7a5cc1bd11a97636a9fe0573c3a27d714bc1dd10110667711254cca60d52b1e615f3701

        • \Users\Admin\AppData\Local\Temp\eqs89B9.tmp

          Filesize

          437KB

          MD5

          2b12c44848b539f51748499f99d3762c

          SHA1

          46d6ee16760945167e107f19e4100b4e969c2f40

          SHA256

          c6e410b1d91ed8cf22fbdc1385d43c3ae2a269f0ba43e88a52e56b4b2c3ac99b

          SHA512

          0f0ed7c0a6f57e79dc7633673a3f20ef7b0c824d0154f18b998f8fe164d391dc426553d2dfbb33010336df2b244624b34944887a8cf3d9aed75f00c4853ed699