Analysis

  • max time kernel
    68s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 02:14

General

  • Target

    82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe

  • Size

    1.1MB

  • MD5

    7e0ba625a5ae332cda46a8185c0c5230

  • SHA1

    c239176154abaab0187cbacc31c915ae66b78ac8

  • SHA256

    82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6

  • SHA512

    61a0a31c270fdeb6cb77bee96494648de966384dfcf30788d56288fbed560f48af9275d1900be4755b1ef3da22160773be7b1bbb76e348e461a11ac82f8c0f82

  • SSDEEP

    24576:+rfzXdaxgAOZGspkqLCVHpZktAIn1brR7ZHFGjbhDZlnN:2XdaxgAOZDp/Avkz1brR1HF69HN

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe
    "C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Users\Admin\AppData\Local\Temp\eqsF872.tmp
      "C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2980
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\82CDC7~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

    Filesize

    2.1MB

    MD5

    20dbf807dc0e5a499a0f9c149941ce8b

    SHA1

    b5ef8f64df0fdc4c04774416f8b6293ae765046c

    SHA256

    6480ddaac6f2b2107dbb6e6a4dc56d4d3a6fa210925ee2e6e3a1e1172d33f43a

    SHA512

    5167d7eec74fa19c602aa66dbaeb210395662cf217fe6d044e2bfbbf80e3f64274c2ad296105a4df868c89ea5e8eb8db6567d621f24cffd0bae20f2a0307767a

  • C:\Program Files\7-Zip\RCXF9D1.tmp

    Filesize

    9KB

    MD5

    fc80202a8fc434099a9449b2a14c2d75

    SHA1

    9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

    SHA256

    d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

    SHA512

    98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

  • C:\Users\Admin\AppData\Local\Temp\eqsF872.tmp

    Filesize

    1.1MB

    MD5

    4598ce58362a03112db69548ee6e89c0

    SHA1

    9fe142d4bc2c814cf3600cc515b7d380d629d972

    SHA256

    a5dbc9ba67a78a5897ba88c84e840874a6ea1cd43f9f59575fa21e33e1eb440a

    SHA512

    3ee589fc5ba1d2a2cb5a750ce42e5d274709ebed893e6b6976c3d4c44cd9f07fae8852655e4aff9dda4a6c0176cb3cb9c8d3d9e4025c3527dd643fbeb958c8d8