Analysis

  • max time kernel
    105s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:32

General

  • Target

    5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe

  • Size

    229KB

  • MD5

    4ad2e42b8338dc8e27b84e5537792175

  • SHA1

    5846bd4a296134f6f0abc2a6103510669657e45a

  • SHA256

    5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca

  • SHA512

    724e56b86550c055b57ff1e855af3132fba0dde26d4d5f85d9d8cbdd459e513a8ebfa55e868b2bdbe4b85b9d460f00feac1144c29083624c9d9eb0855c22e16c

  • SSDEEP

    3072:B7wAOhIL1T1/lgVVJfYXZKqM8jNIwB6EkQOf2ChwAvhBNtSR:BCcHOVwXm0TLOf2oBTC

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe
    "C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp
      "C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3424

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.371\RCX46DD.tmp

          Filesize

          24KB

          MD5

          c016ef1a86325eaa8e3c7c1d0cbe6a9c

          SHA1

          1c0e466ceaae36cc5d24d59e03430a0ca07b6db7

          SHA256

          703e854417e666a42cbf8137637070148dd9c9421b492e5afbcf25405a2a3dd3

          SHA512

          93bdd300a5faaa2e14024719851a08dc341e273b497ec5ac01ab710f422fdb21d6dce0cd9027b3c78d03a80f81db42cca676a6dafd580f264c3940873e026fa7

        • C:\Program Files (x86)\Google\Update\RCX46ED.tmp

          Filesize

          24KB

          MD5

          24bd9543a93a1ae90854cd838044cb1a

          SHA1

          3fc631dfe58a660159607a13f22697e61004cd29

          SHA256

          71040e6ab05bc9a3ad564a3ce408e16d2099cfa3eda03c20070ff0fc5cd08bda

          SHA512

          58802d2d66dd2107af8cc2bcfd2ab1478fb9b4c626bcd3cb34ef9e8e7884ab92921b74f00774b6b3a5d0fa7df0f66eb292de790e1a616a3b7f29b13b330f23dc

        • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCX4D41.tmp

          Filesize

          24KB

          MD5

          2ee82bf31f8f29f17aa432e16e8a9192

          SHA1

          2b9c59b13c5544f818b34536511aa0e89d7df435

          SHA256

          fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334

          SHA512

          c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.1MB

          MD5

          ca0d363495c01036bede48311f7009a3

          SHA1

          eaf18881d6479345cacfa852c885753f45d3bbd4

          SHA256

          23c53734d021e70fd7d228c8eb5c406a15fe2f01c7053fae0acf0526a3d6b4c6

          SHA512

          d202baffaf8b05d5dd9b9fc92f964110ade75dc3665396f38b16a88e88ee8f8c115cda8e253a56d88667eaf0fc81a9a6b2a9b63ac80cca76061fd3e4ae28d214

        • C:\Program Files\7-Zip\RCX2BB2.tmp

          Filesize

          12KB

          MD5

          31ca51862b31bcf129556d16f467af09

          SHA1

          5a211b99259a8b98aba5b281f57d2dbd6cf3325f

          SHA256

          c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c

          SHA512

          ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX3A74.tmp

          Filesize

          3.9MB

          MD5

          8235f9a7dee83ae3d73106b9251955e2

          SHA1

          b52abb012d8bf8ce8ad295627d04a6426a78eb8d

          SHA256

          9bbe361214bfe67297317b49a7b995cc8849a5ac298bbe7a8782c214d82ed1d6

          SHA512

          544a02f19d6f53930979232ac63ed53b749b70ec606e1ed06bd9a0b02cdd1cd0f24968149c265d8198560c8dcc11480b837a20aa489fddc524f28c8b6c119b5c

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX3B04.tmp

          Filesize

          3.3MB

          MD5

          1f75518e4bdc08ad0e5872e6d6fa0a3b

          SHA1

          045c2f37078d5bbbcedc98fb554330eace8bbbe9

          SHA256

          ccfa1e9e25c36c6d6a9fa8c80a5e794fee8a2d8934bcf6c4f03e663509aa9a2f

          SHA512

          74010c987b997df3908577cb0191400b16035d72cf6c51acb5f17f340ffcb1d5f505c315aaff816a1049444133d869720003a1731e8a5f16de04d8cbb283ffdf

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe

          Filesize

          151KB

          MD5

          fe8556f4cd549ca5a9b2811a955a25b9

          SHA1

          ff58dd1cfb676668c99e47c06ca1f3967d2057fa

          SHA256

          7eab17620ba806eadb500e21c344f7f4af9725b3fe8c1ffe775364f201c5ec56

          SHA512

          4669ef5198396e77a56ffa92a06291cc0b229eb3b49a696a8776a138354addcd9fbefb24de01c0b25f9e4a4157d563fbe17102633283d7eb73f4c5cace2fa940

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe

          Filesize

          8.2MB

          MD5

          90ef8b52adf2917ed0bf8abcfd634d42

          SHA1

          a3e11a32e6531f5f681e5869878290d90dad93c3

          SHA256

          5accb1ac4f3b653192f3e792bbe48cd309e2bd3bab69575219710fc78bd535db

          SHA512

          04263c4e70a96e1327d8984708510e71609a82d2f746d9edddcb39a0740c054e1eebee081a4650224860cd414aa389c20f56a963f831abac47094fa29cf21e00

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX3B75.tmp

          Filesize

          1007KB

          MD5

          53889c85c32108f93022352ea52f0ddd

          SHA1

          a0f6da80f0a2a2b700a2670e89c3e58a27ea956f

          SHA256

          b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647

          SHA512

          5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e

        • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

          Filesize

          471KB

          MD5

          c09c92686ec523d4e00c3f0a52525bed

          SHA1

          729e895352024107f5db3db47c6635b364e00588

          SHA256

          621431277f2ac805291e21385691401f21c2c8fb7858275bcbd8824f76dd18e4

          SHA512

          931184011a40aa82beb887215b09054c0e6ea38918a253cdbd85c6740067be529473638e361104315e04ef9b5c9072822e7a85c8e5fe4a2e9f8c2b90601f8d34

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          461KB

          MD5

          146e2ea79c72a7a3ed817683dd4caec2

          SHA1

          65e6c8acda0e37d6f5ebb23ed8ebdd7f4036df88

          SHA256

          85c934133aa31419574443fea5d6fb9040eb7c626e68f4c28e2d3b912c9327ac

          SHA512

          204ecb8fe5f756a334be1a8bb1fc744e6f0099a9387787dfe8b2bce136573d0c735d1d16eda820cd66935e09a1b40182fe4e7f801dbe06047ebf23c447386cbc

        • C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\RCX4EB0.tmp

          Filesize

          16KB

          MD5

          d48c649441d44c9f485725404fc8a8bb

          SHA1

          0d0706f71a7f0c65eb55e2a9fee4dab3521701c6

          SHA256

          8f4841a90c2b445d149f69afe3721909a0ed75f01293ba4bb8801275971bc90a

          SHA512

          41e325d14bd20bbea9e35641058486ad6eccc08161528bcdbd3967224316da236773cded8fdc925efff9d4b9a177176bd2e9350adf9f874c9eca85cad0d0a519

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\RCX4F6F.tmp

          Filesize

          367KB

          MD5

          7cf4cb0b4265b22096287e98414b449c

          SHA1

          23707d9f3dc80b9b75d6a36768ba3b32d1672466

          SHA256

          20948aaa8787075fbadfc7cb7e59f125f2c78199b490fc46a115278731ef5a31

          SHA512

          d307d92c79d77e6839c92d563e020c43da5fdafe7b755ec50c7941dee2f2c97252210b983b3495fef415fa70e4252bad9e74bbf373b6b6ba7ff27634ee6f77cb

        • C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp

          Filesize

          154KB

          MD5

          c13a5c9184c5c8b29b4cb3b01c8a8dc2

          SHA1

          689411251ec06a612ec1e55de289b998e8ab8556

          SHA256

          c235a11fcde53089ac5e8f19380078ef9fda48e4241bb1dc526fff6c5e384900

          SHA512

          781e19adbf22bdeae7aef600e1a247cf49fdae2fd2a6ac050a3c5bb658d5fe5dd546b4fb92862a972072aa2e4ec7136c23b40e685c0951206b7182e280a18f44

        • memory/2860-0-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB