Analysis

  • max time kernel
    107s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 13:42

General

  • Target

    0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe

  • Size

    1.9MB

  • MD5

    1a00962a3bc0e60b54732a8ce83dc9d0

  • SHA1

    d02fddcc0df8892d2a7094b25fa0942864c96b0b

  • SHA256

    0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688

  • SHA512

    419c1a89c9bd393835737b62b68709de0e643107bf0121400765f53c28efbc41879d3a7eb1dabf90b95bddb5042e17bf70f3269285139761719cd9c1b705c5d0

  • SSDEEP

    49152:/H92yv4VrRHYlArPlrl/ohdTUzBEoe1CEEoe1CZ:/F4VFFJEoeNEoeM

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe
    "C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp
      "C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2952

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe

          Filesize

          130KB

          MD5

          6b4f640db3307cc5cc16ac202286c355

          SHA1

          6f4470a76d29112d91ec6c52f912fb5fb19ae522

          SHA256

          deecb970becf18df794f979c050aadd547ef7421cccfc2143ab1c5d014f161db

          SHA512

          a48c92e769454be4fcefb661fd4503576d06aba3106c769728e4973c19fe58aa65d690e163a4db9020b77bf9dc78c62753ef3ba62b88187ab67edc6828658445

        • C:\Program Files (x86)\Google\Update\RCX5863.tmp

          Filesize

          24KB

          MD5

          24bd9543a93a1ae90854cd838044cb1a

          SHA1

          3fc631dfe58a660159607a13f22697e61004cd29

          SHA256

          71040e6ab05bc9a3ad564a3ce408e16d2099cfa3eda03c20070ff0fc5cd08bda

          SHA512

          58802d2d66dd2107af8cc2bcfd2ab1478fb9b4c626bcd3cb34ef9e8e7884ab92921b74f00774b6b3a5d0fa7df0f66eb292de790e1a616a3b7f29b13b330f23dc

        • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCX5E85.tmp

          Filesize

          24KB

          MD5

          2ee82bf31f8f29f17aa432e16e8a9192

          SHA1

          2b9c59b13c5544f818b34536511aa0e89d7df435

          SHA256

          fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334

          SHA512

          c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33

        • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe

          Filesize

          3.0MB

          MD5

          f6515f978068fe2cf28dc4b3a44ed16b

          SHA1

          e6f4c144b0f190a74ae8da6473bc08332d3d5f20

          SHA256

          4bb6de4aba4472b03088267b255b6feb3ee4b76e3f50d61cb31fa9739ed7091b

          SHA512

          d99c4793e14d44a5654d3e9d30e555791c41df91c0d9d299ec611e229801d64d98f66c0a808890e06c647ddc08edc75b523c491225736bd40922f130036f27a5

        • C:\Program Files (x86)\Mozilla Maintenance Service\RCX5F38.tmp

          Filesize

          39KB

          MD5

          77dbc4532d0527b80563fef9ab9f7d32

          SHA1

          a27cee72780384bc67865e57c2db9b4b4e655d08

          SHA256

          43e174176205b249709b329d274c6493ea3cb4e252bca7b2dcb3a067d8896f43

          SHA512

          bfa715736ba0bfad1723b8fa98e98164f7645ffa741a1b5b957e96a09fc36c8ac96ba3c20b6a4f07e7ebec8a4e7ec3f87a70dda3acf5b0254f925fcda7fc35bf

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          2.0MB

          MD5

          9860d285650144b5670621106291fd56

          SHA1

          2c0a66c7362d1d2a4ed6a56a86abdeac0ab6239b

          SHA256

          7970f96dcc685a3a423bc2a2e156b9e0c3caf0fc8464973bb50c674ffa1c62cd

          SHA512

          b1635214b6a1a1f9dc984aae0f331368570174548ab06d090119752e0d4dcf69796a4993763783e735d261e30c1c3fdfb0d6939789d8922905a967f56bc1227f

        • C:\Program Files\7-Zip\7zFM.exe

          Filesize

          942KB

          MD5

          af59f8fcc27461a6c9db6cf1c4080da4

          SHA1

          cf69515b95e1cf51f70180dc1c4bec61fb69a6bf

          SHA256

          6200d4d7cd8a364738431b0b55c710a8769c8a0d9b95e277633738f9d4435f1d

          SHA512

          3baca97fd25ed29ceeb7b9d08e1c26ca3f3d1d44b080c83da032554f52ce26b65f6b9e95abbc692029d88beab99323f2c13770cbe21b501e605a003934c8fc97

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX4A56.tmp

          Filesize

          3.3MB

          MD5

          1f75518e4bdc08ad0e5872e6d6fa0a3b

          SHA1

          045c2f37078d5bbbcedc98fb554330eace8bbbe9

          SHA256

          ccfa1e9e25c36c6d6a9fa8c80a5e794fee8a2d8934bcf6c4f03e663509aa9a2f

          SHA512

          74010c987b997df3908577cb0191400b16035d72cf6c51acb5f17f340ffcb1d5f505c315aaff816a1049444133d869720003a1731e8a5f16de04d8cbb283ffdf

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX4AF3.tmp

          Filesize

          4.1MB

          MD5

          d54a18ccac3e291cf5d1780314b6959d

          SHA1

          f1892ac192f6421782c5d3f4fa46e83d956dbc1e

          SHA256

          9b3a5b4f572bcce0f6838b9fb5eba7a2d2d7d9ec1e208bfc0f451ff61d098bde

          SHA512

          172dbc0d4b280e0212d82bc83f049505f99b429076d87a6b740483e33f63159087544e3cd6ab67ff05ec1eb0e5f89521da96db42187862b4574f9231a9341700

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX4BA1.tmp

          Filesize

          1007KB

          MD5

          53889c85c32108f93022352ea52f0ddd

          SHA1

          a0f6da80f0a2a2b700a2670e89c3e58a27ea956f

          SHA256

          b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647

          SHA512

          5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCX6092.tmp

          Filesize

          16KB

          MD5

          e51281f5acbc298a898ebf7cd270fad4

          SHA1

          aa54f61b89db033d5d6b39cca971f76730aba054

          SHA256

          dca3096afaab558ecf91ef35f9d3427f7ed2cbc17341067203b9e3e103045867

          SHA512

          bae3e66e0273abc67c174244a6b14468043ac73b013f9d5a3510d615f8de91f5ce76afc3339d4ac7546274cadeb28261ead730791e252bc42623c2d5f218683c

        • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

          Filesize

          471KB

          MD5

          59dbe39c9ae8f8f6b2a667d65dcbcb56

          SHA1

          61393a4c69407671fc5a8fc30ddcc4d5c27b7868

          SHA256

          c1cb0ee24ce7657126b2cbc8820ea012eb9d0f72cba5184721dd23ce4aea07ee

          SHA512

          610a251c3ba3f851bbdf85084f0f960bae98ac4c6a02e09723ce0b53c23dd2e84179f52286d798e104dc5c3e18719ecfe986a5bd14207ac710197e9728d28eec

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe

          Filesize

          27.0MB

          MD5

          eb8d0840836181126ee23df607d9eaea

          SHA1

          a22788e9444bc72b37071a5445ad5be85a6ce283

          SHA256

          dbb6ccc5364745f5370f6e743588677982dc8dc0ec0e6384a3cac86d7f138b9e

          SHA512

          983efbfcfe8d7ba2a5ccb58e23cef8009be18f52d68df998569abca8b56ec2df69027f3729bb77d868cc38715a79eb0525610f85d8cac18ec783bc65b34c51f4

        • C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp

          Filesize

          437KB

          MD5

          2b12c44848b539f51748499f99d3762c

          SHA1

          46d6ee16760945167e107f19e4100b4e969c2f40

          SHA256

          c6e410b1d91ed8cf22fbdc1385d43c3ae2a269f0ba43e88a52e56b4b2c3ac99b

          SHA512

          0f0ed7c0a6f57e79dc7633673a3f20ef7b0c824d0154f18b998f8fe164d391dc426553d2dfbb33010336df2b244624b34944887a8cf3d9aed75f00c4853ed699

        • memory/3616-0-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB