Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 02:37

General

  • Target

    acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe

  • Size

    98KB

  • MD5

    cb410dcc4cade0a487fb85f90d6e65b0

  • SHA1

    4e6b4d6222d9b36bebc324ccdd31813e95636a60

  • SHA256

    acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568

  • SHA512

    a71781f8497050510abe97736f681b04e6e06b8fead32c60835f624c077371e75daa93ea90f63b9b7f2d02107971d4349aa705d406915bce23a9eb5e5d1d57e1

  • SSDEEP

    1536:Jy6JHfRr4vkK/sTZSGJcXaDNUjVa51UysWqEdU9dldSGyBkch:E6FfREvkgsTv6qDNUgzU7usKGuks

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe
    "C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ACD4EE~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2684

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

          Filesize

          2.1MB

          MD5

          a7f5691c267a8593b4ded27dace10ea2

          SHA1

          0c31e43c52dc170d5484c2780f1907ded50988fd

          SHA256

          7363b2ea3295880e3c50677eb7db08d841bb40c9b072332737069e64dece820b

          SHA512

          146a15108b6079e8a6d057b45b369858c083094c6937ca781db5b6c4926f12d07850e9857ddeb8d5bc8c7918347d79b4412be59983de7c6bb3f382b41a1dda62

        • C:\Program Files\7-Zip\RCXB4C5.tmp

          Filesize

          9KB

          MD5

          fc80202a8fc434099a9449b2a14c2d75

          SHA1

          9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

          SHA256

          d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

          SHA512

          98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          458KB

          MD5

          866454fe10e1eeb551203a35a11be884

          SHA1

          317da88a276a8638a35d6ab5618372fd7cb9f7cc

          SHA256

          265ae7b5af41972bba1f4741c4f96533b2e00657c32073a009b6bbd089641e4b

          SHA512

          213738511c335689d2230286ec6ed9dec7d9efbf9cbb2f7d08106d214482161630010171a3c939df83c9eac02caafb961913d8cf485b1c783d2b0e81f9831efc

        • memory/2672-14-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB