Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 22:48

General

  • Target

    4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe

  • Size

    479KB

  • MD5

    4401e035c0f3d776a854ef3cd3cd9080

  • SHA1

    af7eb0ba46b6aae5c5b64c52e3e8a0cceb228de5

  • SHA256

    4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9

  • SHA512

    037af2948cc83d17a9f660a91b03fb63e47fdff6b0652161b343307932928136ae91a2be21519e19517c38578b6fa630caaeaa90ccf2bf214f97a87a1bb4877f

  • SSDEEP

    3072:i1e+aX3K1fOHoqnPzErBJQCObI9bjI95xt5YZ3iV1cebaf4xmVoqiCiRSpnzIpTX:L+aX36WHoqnauRb0czOy/

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:380
      • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
        "C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4824
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB635.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5076
            • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
              "C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"
              4⤵
              • Executes dropped EXE
              PID:1932
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Drops startup file
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4016
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:5068
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2208
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2752
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4356

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aB635.bat

            Filesize

            722B

            MD5

            a419572de6d6e0e57cf6ea6de083c0f6

            SHA1

            1b8501a858bf7ca4fe0f34f1bd8200391c2831ee

            SHA256

            5260dde4bbdcd87535d7f537fe73d8e914f593fd80366656c217478a001d8473

            SHA512

            6b7aec2a6faf709bd03800af6261e1a04b977f8477430cb7aa8f487356d940b1e114e48ea68c1d72c5c40707b1188396e0a7a4e6e2d7e2b6edc552ced641996d

          • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe

            Filesize

            446KB

            MD5

            8cb298752db9d1788ba28b747f436fd7

            SHA1

            1b829fd918fb40a3a436546605a376a5b825ed93

            SHA256

            601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537

            SHA512

            743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb

          • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe.exe

            Filesize

            446KB

            MD5

            8cb298752db9d1788ba28b747f436fd7

            SHA1

            1b829fd918fb40a3a436546605a376a5b825ed93

            SHA256

            601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537

            SHA512

            743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            f1042a7378ce88282deb18ef35670908

            SHA1

            818edb3673dc52f46cf7fb5b82b6e47101b91038

            SHA256

            55a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb

            SHA512

            cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            f1042a7378ce88282deb18ef35670908

            SHA1

            818edb3673dc52f46cf7fb5b82b6e47101b91038

            SHA256

            55a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb

            SHA512

            cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079

          • C:\Windows\rundl132.exe

            Filesize

            33KB

            MD5

            f1042a7378ce88282deb18ef35670908

            SHA1

            818edb3673dc52f46cf7fb5b82b6e47101b91038

            SHA256

            55a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb

            SHA512

            cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079

          • memory/1512-132-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/1512-138-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4016-146-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4016-150-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB