Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 16:32

General

  • Target

    a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe

  • Size

    1.1MB

  • MD5

    a00d4b318d50ecf08163152ac42688d0

  • SHA1

    939067f42103beddfbdb18d85a14b8f5c625e18b

  • SHA256

    a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455

  • SHA512

    82190d1814dcecd1523451c5fe7eb881d0ae7dda2d5d5bbff8eaa445f82df9b1a4dd14b3ab850ae089eb2dbe8f864fadeeacc86e478b4447a4a5a7ba8d4c0230

  • SSDEEP

    12288:ZxrSGNUbTou7XO3LWUQfh4Co67a3iwbihym2g7XO3LWUQfh4Co:ZxAE2fh4CoT+gkE2fh4Co

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe
    "C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\eqsC439.tmp
      "C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
      2⤵
      • Executes dropped EXE
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

    Filesize

    689KB

    MD5

    687c9b771137683b9d66ebd661981a5c

    SHA1

    7acd675b9de790f13bd3595e98394f7ebfd44811

    SHA256

    d13c5f38b2d20a5cf1c384768a1ba4b854fcfb3623f02fdaa93c22a3d32dfbc4

    SHA512

    abd2277079923d7f77076c1f040fd9824a2d26cbe27605416131826ad98351e1607e5bfea0a47be070975d770cb29074db037112921c91a9bf59e656dc532bad

  • C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE

    Filesize

    843KB

    MD5

    f8924c9f594cdf6c907d34c666961623

    SHA1

    d4e8581586a443811ae6ed7d52f789539f33a1eb

    SHA256

    e529a429f61857415436be79562ba20d471ab85ffb56a76191c6da2205aa5b45

    SHA512

    da09d001261fe1362ce92e6edcebff41bbdad203d28b36bec03b37b6da2a3000726c0a81f3dc3f16a2231f4dd36aa5428bf6b644fb337a1dc683c44431b8ad73

  • C:\Program Files\7-Zip\RCX1AA9.tmp

    Filesize

    12KB

    MD5

    31ca51862b31bcf129556d16f467af09

    SHA1

    5a211b99259a8b98aba5b281f57d2dbd6cf3325f

    SHA256

    c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c

    SHA512

    ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f

  • \Users\Admin\AppData\Local\Temp\eqsC439.tmp

    Filesize

    544KB

    MD5

    9a1dd1d96481d61934dcc2d568971d06

    SHA1

    f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

    SHA256

    8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

    SHA512

    7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa