Analysis

  • max time kernel
    105s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 02:37

General

  • Target

    acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe

  • Size

    98KB

  • MD5

    cb410dcc4cade0a487fb85f90d6e65b0

  • SHA1

    4e6b4d6222d9b36bebc324ccdd31813e95636a60

  • SHA256

    acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568

  • SHA512

    a71781f8497050510abe97736f681b04e6e06b8fead32c60835f624c077371e75daa93ea90f63b9b7f2d02107971d4349aa705d406915bce23a9eb5e5d1d57e1

  • SSDEEP

    1536:Jy6JHfRr4vkK/sTZSGJcXaDNUjVa51UysWqEdU9dldSGyBkch:E6FfREvkgsTv6qDNUgzU7usKGuks

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe
    "C:\Users\Admin\AppData\Local\Temp\acd4eedb6c2cc349bba703c30268acea67eafa7e5a6d7e07005bf5ccb624b568N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ACD4EE~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:888

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe

          Filesize

          127KB

          MD5

          b73b798f76b328a5d063cacfda16baaa

          SHA1

          eff6a12077159f5ae16ca222c9b15c2d41c6f283

          SHA256

          0c845d2340de1bb8448b21d8dc2b95cf68e823da8b2509a007479f65855da75a

          SHA512

          ff3db6d52854096b4e13cf8cb1cf2c756a13c1b10c98aaacab1af062ed6564305936147d749283b89f122a27178b79215c5b5a803ad354b75f80e5b58887573d

        • C:\Program Files (x86)\Google\Update\RCXABB6.tmp

          Filesize

          21KB

          MD5

          a0db8bdb48baaa4523eceef7349a1567

          SHA1

          fbee578b8a5358da84808926a411984f48f362d3

          SHA256

          6bf310f40bd5e380fec75fcf810f675f2f7f180253ea8eee04bf47b13b835d4f

          SHA512

          ae748e814aadde6bb62f3ea1717b4d419fb5c955981a9eff5c3c18975a9bba16c056c5d8644e9bd206b962151589490d98a0900f0abf49e52efb717755b9d347

        • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXB0C2.tmp

          Filesize

          21KB

          MD5

          5802188c8db128cc08d0cc233c555673

          SHA1

          f7e4a8b406c9842cad07d9ef88a0708b2ff05054

          SHA256

          4f8443a155baba126fb11442b750d1be42f99ca555d9b1495aa9a5fda8b8dfa1

          SHA512

          4d59a416d89992a10d27f2d39fdd3d1570c721c2bd7e52288c3a64aa172bdab316e35ce5d61ee686c56fd771a84415f1c435844c8a9b020198de17a1524eb132

        • C:\Program Files\7-Zip\7zFM.exe

          Filesize

          1.8MB

          MD5

          6115395199a504e413155929b2f4d679

          SHA1

          0aefc4e27f50d1ff073a4e406a52a0ce173d5822

          SHA256

          585a1a54319259635c5c8cbed6015b07bb7c9f924a9c42f933b1174b8043d66d

          SHA512

          9f9c5a21ffa22f8dbbda4ac8b4584c3db4ec7bfb4849d98f0f39080420d3848c7332775ddeead77847d5aefd566e2cc7fff849c6c51cadc39ad7c9523998cadd

        • C:\Program Files\7-Zip\RCX8F21.tmp

          Filesize

          9KB

          MD5

          fc80202a8fc434099a9449b2a14c2d75

          SHA1

          9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

          SHA256

          d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

          SHA512

          98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX9E18.tmp

          Filesize

          4.1MB

          MD5

          301df11b1d56ea84b641035869e1714d

          SHA1

          e26a679087b947dd12e130dcbfb0157430f51168

          SHA256

          ceaeb65fdfebc6ba36b69e3df628fc4e1f1048f44c3b0b0f2815e9b4aa68df64

          SHA512

          4914e20e99d295314a2dc63962f187cad0c2efe2e770b4265643f6e4a8c231eda9595945780d1e9e9572ea5cfc4985fd2593ec08d98a1b43c4ec5e1753d54a51

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe

          Filesize

          6.6MB

          MD5

          2cd7c7e0b409aa489c97432ccda2e972

          SHA1

          4200714ee3d1a78f714366d4ea34695476b81d0c

          SHA256

          29d210ad13dd8d05947b26d8fee3bd1b994fbbc4cfac25a121d2c7bd7cf7b860

          SHA512

          9a93acae8e08b601ca24848e73e978346dc88fcfc4cd52156fe2c0a051084bb94345b0524fdcaff777948fe4cab8178423e9d4b1176c3913bdfc96c9e9f22e75

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX9FD0.tmp

          Filesize

          1004KB

          MD5

          cfdf29654da360dc586d65d4eb06179d

          SHA1

          5464f625f5aebe7fc3169309a9403e25ec09432a

          SHA256

          ac520da6b4a8e12c081ab9ea659fe5bd5eb076c40b203bd7156cb1ad9f8459d7

          SHA512

          30473bcb9ab74f4913c3a093a0626a915f09bd8067270f473924fcbde533a3eab3c9e5f97c1c56358fec054ceaf7f3ca3d707152d008e45c77f02deb46e18ce1

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXB1E0.tmp

          Filesize

          13KB

          MD5

          b4888eb7f3abc796d0589767fb54c734

          SHA1

          21d766acd5fec6697251702f7986a70f86677296

          SHA256

          514179077a0fa1fd9ab8f3b58835334b9b990ddf74232e9ee57de030eb7d7598

          SHA512

          41e910e48f7d99c25e1f2014c3dbbb5bcf38ac9c24bd5188c9e6a8b43db98e4dbe10eafeb0b633858fa807d3b0c9187b533b8553ca226a4cc360ee14579facc0

        • C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\RCXB1F2.tmp

          Filesize

          13KB

          MD5

          781cbd9734adc3393e4538e832ba3967

          SHA1

          6878a0fced5b9a59d07699098f5bc19e56bf278c

          SHA256

          da61e6e997c8e0ded0cfb5c070d9f3b0c5a747d98107e27b46b365f3cea901ee

          SHA512

          55c6d64af485919f37312b80f4a03e0ee3a81ca66702f32fd76703bed46579d51828e0354fbbff2ebe1049462397deb58cb89092f8d3e94df9aac4b9b2122f5c

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe

          Filesize

          27.0MB

          MD5

          a7f700f4afd0c2693eab70e5b32753a6

          SHA1

          0eed3395dd7c1f16173035f2e7352eb4eaa2da56

          SHA256

          39cbf7bf33466813364c826e00af8d466755d98a0e37901e81584ece4930c187

          SHA512

          7ae91b742a5cda294a604ea3b99742315534b6dee6abf9809af9bf3fa061274fdf87a66e8a5ec7587bc23e0ca7acb0af40b625937e57d75cd3760e7ebd26f010

        • memory/4868-0-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB