Analysis

  • max time kernel
    117s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 16:32

General

  • Target

    a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe

  • Size

    1.1MB

  • MD5

    a00d4b318d50ecf08163152ac42688d0

  • SHA1

    939067f42103beddfbdb18d85a14b8f5c625e18b

  • SHA256

    a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455

  • SHA512

    82190d1814dcecd1523451c5fe7eb881d0ae7dda2d5d5bbff8eaa445f82df9b1a4dd14b3ab850ae089eb2dbe8f864fadeeacc86e478b4447a4a5a7ba8d4c0230

  • SSDEEP

    12288:ZxrSGNUbTou7XO3LWUQfh4Co67a3iwbihym2g7XO3LWUQfh4Co:ZxAE2fh4CoT+gkE2fh4Co

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe
    "C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Users\Admin\AppData\Local\Temp\eqs77B0.tmp
      "C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
      2⤵
      • Executes dropped EXE
      PID:4684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\Update\1.3.36.371\RCXBD16.tmp

    Filesize

    24KB

    MD5

    c016ef1a86325eaa8e3c7c1d0cbe6a9c

    SHA1

    1c0e466ceaae36cc5d24d59e03430a0ca07b6db7

    SHA256

    703e854417e666a42cbf8137637070148dd9c9421b492e5afbcf25405a2a3dd3

    SHA512

    93bdd300a5faaa2e14024719851a08dc341e273b497ec5ac01ab710f422fdb21d6dce0cd9027b3c78d03a80f81db42cca676a6dafd580f264c3940873e026fa7

  • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXCD8D.tmp

    Filesize

    24KB

    MD5

    2ee82bf31f8f29f17aa432e16e8a9192

    SHA1

    2b9c59b13c5544f818b34536511aa0e89d7df435

    SHA256

    fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334

    SHA512

    c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33

  • C:\Program Files\7-Zip\7z.exe

    Filesize

    1.1MB

    MD5

    a00d4b318d50ecf08163152ac42688d0

    SHA1

    939067f42103beddfbdb18d85a14b8f5c625e18b

    SHA256

    a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455

    SHA512

    82190d1814dcecd1523451c5fe7eb881d0ae7dda2d5d5bbff8eaa445f82df9b1a4dd14b3ab850ae089eb2dbe8f864fadeeacc86e478b4447a4a5a7ba8d4c0230

  • C:\Program Files\7-Zip\RCX2CAC.tmp

    Filesize

    12KB

    MD5

    31ca51862b31bcf129556d16f467af09

    SHA1

    5a211b99259a8b98aba5b281f57d2dbd6cf3325f

    SHA256

    c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c

    SHA512

    ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f

  • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX7606.tmp

    Filesize

    3.9MB

    MD5

    8235f9a7dee83ae3d73106b9251955e2

    SHA1

    b52abb012d8bf8ce8ad295627d04a6426a78eb8d

    SHA256

    9bbe361214bfe67297317b49a7b995cc8849a5ac298bbe7a8782c214d82ed1d6

    SHA512

    544a02f19d6f53930979232ac63ed53b749b70ec606e1ed06bd9a0b02cdd1cd0f24968149c265d8198560c8dcc11480b837a20aa489fddc524f28c8b6c119b5c

  • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe

    Filesize

    8.2MB

    MD5

    90ef8b52adf2917ed0bf8abcfd634d42

    SHA1

    a3e11a32e6531f5f681e5869878290d90dad93c3

    SHA256

    5accb1ac4f3b653192f3e792bbe48cd309e2bd3bab69575219710fc78bd535db

    SHA512

    04263c4e70a96e1327d8984708510e71609a82d2f746d9edddcb39a0740c054e1eebee081a4650224860cd414aa389c20f56a963f831abac47094fa29cf21e00

  • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX7AFE.tmp

    Filesize

    1007KB

    MD5

    53889c85c32108f93022352ea52f0ddd

    SHA1

    a0f6da80f0a2a2b700a2670e89c3e58a27ea956f

    SHA256

    b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647

    SHA512

    5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

    Filesize

    471KB

    MD5

    59dbe39c9ae8f8f6b2a667d65dcbcb56

    SHA1

    61393a4c69407671fc5a8fc30ddcc4d5c27b7868

    SHA256

    c1cb0ee24ce7657126b2cbc8820ea012eb9d0f72cba5184721dd23ce4aea07ee

    SHA512

    610a251c3ba3f851bbdf85084f0f960bae98ac4c6a02e09723ce0b53c23dd2e84179f52286d798e104dc5c3e18719ecfe986a5bd14207ac710197e9728d28eec

  • C:\Users\Admin\AppData\Local\Temp\eqs77B0.tmp

    Filesize

    544KB

    MD5

    9a1dd1d96481d61934dcc2d568971d06

    SHA1

    f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

    SHA256

    8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

    SHA512

    7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa