Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:32

General

  • Target

    5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe

  • Size

    229KB

  • MD5

    4ad2e42b8338dc8e27b84e5537792175

  • SHA1

    5846bd4a296134f6f0abc2a6103510669657e45a

  • SHA256

    5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca

  • SHA512

    724e56b86550c055b57ff1e855af3132fba0dde26d4d5f85d9d8cbdd459e513a8ebfa55e868b2bdbe4b85b9d460f00feac1144c29083624c9d9eb0855c22e16c

  • SSDEEP

    3072:B7wAOhIL1T1/lgVVJfYXZKqM8jNIwB6EkQOf2ChwAvhBNtSR:BCcHOVwXm0TLOf2oBTC

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe
    "C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp
      "C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2956

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

          Filesize

          291KB

          MD5

          b7a1507ec9a90d349a507e34a97f55e1

          SHA1

          d71a05fea04cf8ffded9795890fe866e97af69d7

          SHA256

          d0bb2fcc1d77335a56167905f937044eff2be4edb38e3455ff55d441399e5b9c

          SHA512

          04b29527a549f5666da803acbdbef1478c0b86582f6a2e32e58cbf62f7c72557bd9f4ec57ebdb2db4beedc38f50bd89fda40dfdfe268f0c7017456939367360c

        • C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE

          Filesize

          26KB

          MD5

          10b2097b668077b2c5a3bcbde969e80a

          SHA1

          84758052d41057c888f7835dcba777b1b6b27c9d

          SHA256

          13ed3605e87613f5e3c8348a004e1820a80bb48599dfdd58f29b06416e33ea7b

          SHA512

          2257dd921d75acd0f1e2df300d2fe10465e8ad3824585eafee2503a0ad6303f52c2c8c7aaed016529f302de744e1774d0d92bc464de6119f39a6fe8e2d58e96c

        • C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

          Filesize

          191KB

          MD5

          e7fc2df11aadca90e05a92d8c1952e38

          SHA1

          b3801094b0a40f17a3bccac48a8afe20ad39cc52

          SHA256

          52837f524a69be4819a462a2233868dfec4a87fbeb8930b8f35e9e40b4f55f58

          SHA512

          3aec4cdbaab31b0b1c2031674cb952e76c4dfdc033f065a71df4e783f915ee6a21fcbe333317b14a23154d30a4ba4718f8401caf8238fd1bf29a437a0683ef9f

        • C:\Program Files\7-Zip\7zFM.exe

          Filesize

          942KB

          MD5

          af59f8fcc27461a6c9db6cf1c4080da4

          SHA1

          cf69515b95e1cf51f70180dc1c4bec61fb69a6bf

          SHA256

          6200d4d7cd8a364738431b0b55c710a8769c8a0d9b95e277633738f9d4435f1d

          SHA512

          3baca97fd25ed29ceeb7b9d08e1c26ca3f3d1d44b080c83da032554f52ce26b65f6b9e95abbc692029d88beab99323f2c13770cbe21b501e605a003934c8fc97

        • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

          Filesize

          650KB

          MD5

          29a849ed36b5394c9a11e83fb6aee2a5

          SHA1

          f79c4c95720e34c5217f5e8236936709bcce8acb

          SHA256

          a73febecd4e30003f5fd690290d31586b8ac7e0ceda4be3f50914ceb5cbd8325

          SHA512

          4e332a377088935f2e0c99d19eeea8901a11b6147434708b688bd8397ccaf75ce987ec7fb8f1ed537e1713b7dcf502adc92ad4b4a8d33e812efad10e49e5e02e

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCX4248.tmp

          Filesize

          16KB

          MD5

          e51281f5acbc298a898ebf7cd270fad4

          SHA1

          aa54f61b89db033d5d6b39cca971f76730aba054

          SHA256

          dca3096afaab558ecf91ef35f9d3427f7ed2cbc17341067203b9e3e103045867

          SHA512

          bae3e66e0273abc67c174244a6b14468043ac73b013f9d5a3510d615f8de91f5ce76afc3339d4ac7546274cadeb28261ead730791e252bc42623c2d5f218683c

        • \Users\Admin\AppData\Local\Temp\eqsDF86.tmp

          Filesize

          154KB

          MD5

          c13a5c9184c5c8b29b4cb3b01c8a8dc2

          SHA1

          689411251ec06a612ec1e55de289b998e8ab8556

          SHA256

          c235a11fcde53089ac5e8f19380078ef9fda48e4241bb1dc526fff6c5e384900

          SHA512

          781e19adbf22bdeae7aef600e1a247cf49fdae2fd2a6ac050a3c5bb658d5fe5dd546b4fb92862a972072aa2e4ec7136c23b40e685c0951206b7182e280a18f44