Analysis

  • max time kernel
    92s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 02:14

General

  • Target

    82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe

  • Size

    1.1MB

  • MD5

    7e0ba625a5ae332cda46a8185c0c5230

  • SHA1

    c239176154abaab0187cbacc31c915ae66b78ac8

  • SHA256

    82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6

  • SHA512

    61a0a31c270fdeb6cb77bee96494648de966384dfcf30788d56288fbed560f48af9275d1900be4755b1ef3da22160773be7b1bbb76e348e461a11ac82f8c0f82

  • SSDEEP

    24576:+rfzXdaxgAOZGspkqLCVHpZktAIn1brR7ZHFGjbhDZlnN:2XdaxgAOZDp/Avkz1brR1HF69HN

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe
    "C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\eqs9F1E.tmp
      "C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3852
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\82CDC7~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe

    Filesize

    127KB

    MD5

    b73b798f76b328a5d063cacfda16baaa

    SHA1

    eff6a12077159f5ae16ca222c9b15c2d41c6f283

    SHA256

    0c845d2340de1bb8448b21d8dc2b95cf68e823da8b2509a007479f65855da75a

    SHA512

    ff3db6d52854096b4e13cf8cb1cf2c756a13c1b10c98aaacab1af062ed6564305936147d749283b89f122a27178b79215c5b5a803ad354b75f80e5b58887573d

  • C:\Program Files (x86)\Google\Update\RCXC857.tmp

    Filesize

    21KB

    MD5

    a0db8bdb48baaa4523eceef7349a1567

    SHA1

    fbee578b8a5358da84808926a411984f48f362d3

    SHA256

    6bf310f40bd5e380fec75fcf810f675f2f7f180253ea8eee04bf47b13b835d4f

    SHA512

    ae748e814aadde6bb62f3ea1717b4d419fb5c955981a9eff5c3c18975a9bba16c056c5d8644e9bd206b962151589490d98a0900f0abf49e52efb717755b9d347

  • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXCFC4.tmp

    Filesize

    21KB

    MD5

    5802188c8db128cc08d0cc233c555673

    SHA1

    f7e4a8b406c9842cad07d9ef88a0708b2ff05054

    SHA256

    4f8443a155baba126fb11442b750d1be42f99ca555d9b1495aa9a5fda8b8dfa1

    SHA512

    4d59a416d89992a10d27f2d39fdd3d1570c721c2bd7e52288c3a64aa172bdab316e35ce5d61ee686c56fd771a84415f1c435844c8a9b020198de17a1524eb132

  • C:\Program Files\7-Zip\7zFM.exe

    Filesize

    1.8MB

    MD5

    1bf497954f9b22947bf856f1c4cf33ed

    SHA1

    7a9e1c64e903c5c6aff112474aab04ad33f3986e

    SHA256

    904a17390af456be07648b518538f02441eef0c49d13ab73ea2161ef177728ed

    SHA512

    0548ea08ac9d314f994f8e6bce9fdc863b1529780c0e10139508ddb5d26be9b74c9d521c50f2d1c16410ab6336de72f4ac05ed79bcf65e74592ed46796905ff1

  • C:\Program Files\7-Zip\RCX9F50.tmp

    Filesize

    9KB

    MD5

    fc80202a8fc434099a9449b2a14c2d75

    SHA1

    9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

    SHA256

    d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

    SHA512

    98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

  • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXB3A7.tmp

    Filesize

    1004KB

    MD5

    cfdf29654da360dc586d65d4eb06179d

    SHA1

    5464f625f5aebe7fc3169309a9403e25ec09432a

    SHA256

    ac520da6b4a8e12c081ab9ea659fe5bd5eb076c40b203bd7156cb1ad9f8459d7

    SHA512

    30473bcb9ab74f4913c3a093a0626a915f09bd8067270f473924fcbde533a3eab3c9e5f97c1c56358fec054ceaf7f3ca3d707152d008e45c77f02deb46e18ce1

  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXD17F.tmp

    Filesize

    13KB

    MD5

    b4888eb7f3abc796d0589767fb54c734

    SHA1

    21d766acd5fec6697251702f7986a70f86677296

    SHA256

    514179077a0fa1fd9ab8f3b58835334b9b990ddf74232e9ee57de030eb7d7598

    SHA512

    41e910e48f7d99c25e1f2014c3dbbb5bcf38ac9c24bd5188c9e6a8b43db98e4dbe10eafeb0b633858fa807d3b0c9187b533b8553ca226a4cc360ee14579facc0

  • C:\Users\Admin\AppData\Local\Temp\eqs9F1E.tmp

    Filesize

    1.1MB

    MD5

    4598ce58362a03112db69548ee6e89c0

    SHA1

    9fe142d4bc2c814cf3600cc515b7d380d629d972

    SHA256

    a5dbc9ba67a78a5897ba88c84e840874a6ea1cd43f9f59575fa21e33e1eb440a

    SHA512

    3ee589fc5ba1d2a2cb5a750ce42e5d274709ebed893e6b6976c3d4c44cd9f07fae8852655e4aff9dda4a6c0176cb3cb9c8d3d9e4025c3527dd643fbeb958c8d8

  • memory/3852-28-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

  • memory/4692-0-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB