Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 02:33

General

  • Target

    c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe

  • Size

    87KB

  • MD5

    a57c45b26f0a0cdf85cb3949ecb7bfe7

  • SHA1

    e9bdede6e557771f543d5ba0f8be63a032fb82db

  • SHA256

    c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d

  • SHA512

    0ca7f5c07ceea2de9ce1bd623dae99f0cca1c9b07e1914ee6fc9cc792cddf8bfddc00c420ad82d20b0729585e7ee785b24842688fce16ccfe62b08fea6764efb

  • SSDEEP

    96:J0J/2lk+rks4oc2SQyvn8Aerb25H4wYjHQjqQfmKrWVYogz3AsllaseFUSUYrgto:J82kZwctUAQS5YhjQq+WV92pTyG6

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe
    "C:\Users\Admin\AppData\Local\Temp\c500ccb3718c51ca1c4e67b67e383eae9b8401a07d6d6ae57c98e4e2cd6cef9d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C500CC~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4508

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe

          Filesize

          127KB

          MD5

          b73b798f76b328a5d063cacfda16baaa

          SHA1

          eff6a12077159f5ae16ca222c9b15c2d41c6f283

          SHA256

          0c845d2340de1bb8448b21d8dc2b95cf68e823da8b2509a007479f65855da75a

          SHA512

          ff3db6d52854096b4e13cf8cb1cf2c756a13c1b10c98aaacab1af062ed6564305936147d749283b89f122a27178b79215c5b5a803ad354b75f80e5b58887573d

        • C:\Program Files (x86)\Google\Update\RCXD547.tmp

          Filesize

          21KB

          MD5

          a0db8bdb48baaa4523eceef7349a1567

          SHA1

          fbee578b8a5358da84808926a411984f48f362d3

          SHA256

          6bf310f40bd5e380fec75fcf810f675f2f7f180253ea8eee04bf47b13b835d4f

          SHA512

          ae748e814aadde6bb62f3ea1717b4d419fb5c955981a9eff5c3c18975a9bba16c056c5d8644e9bd206b962151589490d98a0900f0abf49e52efb717755b9d347

        • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXDA71.tmp

          Filesize

          21KB

          MD5

          5802188c8db128cc08d0cc233c555673

          SHA1

          f7e4a8b406c9842cad07d9ef88a0708b2ff05054

          SHA256

          4f8443a155baba126fb11442b750d1be42f99ca555d9b1495aa9a5fda8b8dfa1

          SHA512

          4d59a416d89992a10d27f2d39fdd3d1570c721c2bd7e52288c3a64aa172bdab316e35ce5d61ee686c56fd771a84415f1c435844c8a9b020198de17a1524eb132

        • C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

          Filesize

          136KB

          MD5

          410d9f384a4d2da54039ccb1b7b485b3

          SHA1

          1fd2a6afbde16738ce290bb3c84f2e3e07599ca6

          SHA256

          2bad93eb2c981ea0109e265cc6555d515024d94ea396358068048752865068b3

          SHA512

          eb40a7b394c289e198790922d0687f1e9e2443133b65a9d7fff9cdfacabe23126db1bd83fdcf5f9fea574247b5ecc2744b7d7f5a22b7714d163128b08a81e948

        • C:\Program Files\7-Zip\7zFM.exe

          Filesize

          1.8MB

          MD5

          bc92ce19d3f9d81889924323c1f90e99

          SHA1

          42e4fb38867c775025105012ffe69bb672c56c55

          SHA256

          3db6402b8e233e90c60c87649ff8a3eb0a192d8b5d0d473426a19d276d6812aa

          SHA512

          c57cf65a7b64f06657710910552d50c237e1745467a4744356f73db8856369b029c7e39a3dff9682ca6fa8d586ca632b9cd9bce7227f350b820035ab06bd2815

        • C:\Program Files\7-Zip\RCXBAC6.tmp

          Filesize

          9KB

          MD5

          fc80202a8fc434099a9449b2a14c2d75

          SHA1

          9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

          SHA256

          d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

          SHA512

          98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCXC98D.tmp

          Filesize

          4.1MB

          MD5

          301df11b1d56ea84b641035869e1714d

          SHA1

          e26a679087b947dd12e130dcbfb0157430f51168

          SHA256

          ceaeb65fdfebc6ba36b69e3df628fc4e1f1048f44c3b0b0f2815e9b4aa68df64

          SHA512

          4914e20e99d295314a2dc63962f187cad0c2efe2e770b4265643f6e4a8c231eda9595945780d1e9e9572ea5cfc4985fd2593ec08d98a1b43c4ec5e1753d54a51

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe

          Filesize

          148KB

          MD5

          ed1ff69349496c479da709c8b6efa019

          SHA1

          91a998512b413568724a8dd53b78f5164ba1882e

          SHA256

          e4adf160c9349fedcccbd309109785a0928a9a39ed847686cdd9a3e0a7adb3e4

          SHA512

          a367e682aadae620379763ceec7ed195530e30b96c0d90ec7212f199164d13eb8690c00ec93e28d4b027efd275bd0d446f07d1f509a3f4c8f79aa58ec98c9013

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe

          Filesize

          6.6MB

          MD5

          2cd7c7e0b409aa489c97432ccda2e972

          SHA1

          4200714ee3d1a78f714366d4ea34695476b81d0c

          SHA256

          29d210ad13dd8d05947b26d8fee3bd1b994fbbc4cfac25a121d2c7bd7cf7b860

          SHA512

          9a93acae8e08b601ca24848e73e978346dc88fcfc4cd52156fe2c0a051084bb94345b0524fdcaff777948fe4cab8178423e9d4b1176c3913bdfc96c9e9f22e75

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXCA7A.tmp

          Filesize

          1004KB

          MD5

          cfdf29654da360dc586d65d4eb06179d

          SHA1

          5464f625f5aebe7fc3169309a9403e25ec09432a

          SHA256

          ac520da6b4a8e12c081ab9ea659fe5bd5eb076c40b203bd7156cb1ad9f8459d7

          SHA512

          30473bcb9ab74f4913c3a093a0626a915f09bd8067270f473924fcbde533a3eab3c9e5f97c1c56358fec054ceaf7f3ca3d707152d008e45c77f02deb46e18ce1

        • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

          Filesize

          647KB

          MD5

          ff5fb87c32e28f0dd64b248df04513ce

          SHA1

          8b92146d4405432d32d73ea1f89dc3744c180208

          SHA256

          2612bfcdf8fa6c4f0cc8b8f1aaa15da9cae07f3bb2ecc2facb174f31311ebbf9

          SHA512

          4c602ebde7dc6133435209a751d8f4b5c6702bc20e0c01fa163d67429ac01fcc2a54db570c196374ff5846389b32c4db5b3357ee27509442574d9487e984d718

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          458KB

          MD5

          866454fe10e1eeb551203a35a11be884

          SHA1

          317da88a276a8638a35d6ab5618372fd7cb9f7cc

          SHA256

          265ae7b5af41972bba1f4741c4f96533b2e00657c32073a009b6bbd089641e4b

          SHA512

          213738511c335689d2230286ec6ed9dec7d9efbf9cbb2f7d08106d214482161630010171a3c939df83c9eac02caafb961913d8cf485b1c783d2b0e81f9831efc

        • C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

          Filesize

          623KB

          MD5

          312764ccc082b69c1fc9bd0c02e39e58

          SHA1

          bd9725f1e90674edf525faba385c79bd541c81ad

          SHA256

          b7f8936c4e2db710b1bd49ab1c8047dc3574127e308a00516bbb64f1147314fb

          SHA512

          2ee589d6cf349e2500927beea05a5316a880ff6e5a1dadb80f18d0d68a5c64697bf5a397988b4523dc34bbb8310718cb6e510e3aefd3bb45547f5d93c48464a5

        • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

          Filesize

          468KB

          MD5

          058acd98dac28ca93d722916d478089c

          SHA1

          154d4f8372e302b0f3755e71f80f128e63950051

          SHA256

          ab9640c358b05b7cfc8a5824aac8ac65927feea69d5d8d9c590431c924e6be10

          SHA512

          9ac7eb2596d6daa40e00d63e1c36d2c99e465005c3bb945d699041d06a8565e53ca7be7369f6366e3899137efd14d300679d12ad35ca225b28e1acc967b5e679

        • memory/4716-0-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB