Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10/11/2024, 02:33

General

  • Target

    c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe

  • Size

    87KB

  • MD5

    a57c45b26f0a0cdf85cb3949ecb7bfe7

  • SHA1

    e9bdede6e557771f543d5ba0f8be63a032fb82db

  • SHA256

    c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d

  • SHA512

    0ca7f5c07ceea2de9ce1bd623dae99f0cca1c9b07e1914ee6fc9cc792cddf8bfddc00c420ad82d20b0729585e7ee785b24842688fce16ccfe62b08fea6764efb

  • SSDEEP

    96:J0J/2lk+rks4oc2SQyvn8Aerb25H4wYjHQjqQfmKrWVYogz3AsllaseFUSUYrgto:J82kZwctUAQS5YhjQq+WV92pTyG6

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe
    "C:\Users\Admin\AppData\Local\Temp\c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C500CC~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1624

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

          Filesize

          2.1MB

          MD5

          628256fb90802533d3595b7554a5268c

          SHA1

          68e81300ded4bc1aa46fb2b0680bea340b86f81a

          SHA256

          2bdd36918c7108a68961ba40adeb8cdeded04a9a8222f54570f463395ae52f33

          SHA512

          c43beb59577fd3ceeb7410e02378cafc7ed6fbcaa71247ca930a9051c0e195ffbc631932f7ecead23c8fb9a91d083e38437c15cef075dd619f6e1cab8e57b758

        • C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE

          Filesize

          23KB

          MD5

          f5b8ffa3f05510cf5ea4ee1f6ce4d50a

          SHA1

          b299149a6947186345854b633c552cb89de7bc7c

          SHA256

          53a5586481aed4fbc3630bfeac398ad1d3377e1412cde4c235a70268ffd329b4

          SHA512

          75a3c1b6c76ce7943bff0afe14c9cea9e229a832f522ecb001213a26b46b1c23a848398a3f8d0b4f0d69c88a168b4bc920d2beb566a332036d47e103e2f3e229

        • C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

          Filesize

          188KB

          MD5

          aa4d845ab30fbe40afd871c56e6d5660

          SHA1

          69e815ab37526d044bf8d9dcbdecdfa7c95baf07

          SHA256

          2c51345f8b37e2d367be58b8a75a1fbb45cbe8e870d0e48a1d292ad304bb082b

          SHA512

          04dc9a5e1c4b5a8d2cd62a0187e7accb44bef787ae25e0ceebf7ddde7e2088f72781252f2009d2fa494b7d67f49765c041bc00e10e3bc6d9209cd2d8c1a9ca43

        • C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

          Filesize

          136KB

          MD5

          a0d66ebd7227d1304ad9f66d7512dd8a

          SHA1

          f34f2bcb2cd42d0fb93cf3117a5ba745a1ef97b2

          SHA256

          7b5b7e87158bfa47a74260190cf3f664f10df842f70d8e5a16d90e3662a8205f

          SHA512

          c2228afd2b377dfe0baae0e4c6827f8da1c403ad48a8c32b9c32c30c45227d88c85408959ade264f5765e36b32133b1577251585a9833a3ee3927cac31c68aa6

        • C:\Program Files\7-Zip\RCX7DED.tmp

          Filesize

          9KB

          MD5

          fc80202a8fc434099a9449b2a14c2d75

          SHA1

          9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

          SHA256

          d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

          SHA512

          98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4