Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 19:58

General

  • Target

    9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe

  • Size

    130KB

  • MD5

    9bd6a8b6a72d058386cca6728c19b40d

  • SHA1

    722164902147c79a9988f1d6c84849eece0d3c77

  • SHA256

    9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51

  • SHA512

    169d130b922d07abdb710c1ba3f136727e0773568ff5c0e54f9b1303c6b7c5af7d5ca857b4117469b9a640c502c27846c9fd39ebcf91a4621016152b47be3ddd

  • SSDEEP

    3072:PVaY46tGNttyJQ7KRHvgmJAIlwPxX/ZWOFrb:346tGdyuvI+PxBWOFn

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe
        "C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:5028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7167.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4736
            • C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe
              "C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4316
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:5040
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2476
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2032
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2404
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:704
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:3892

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

              Filesize

              258KB

              MD5

              196e80c6461b51a75560df3e57cfbd9a

              SHA1

              3dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f

              SHA256

              dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237

              SHA512

              00a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798

            • C:\Program Files\7-Zip\7z.exe

              Filesize

              577KB

              MD5

              52b929e3308c6c5cf1e9366799ba774d

              SHA1

              73367e44a6aeb30f38c053492485ccc88f3f96b9

              SHA256

              1371f108190c128f882a8babd65e575855c16a158530163f97d4aaec08204a3a

              SHA512

              074eb6f7224979654bf1f5239a9b46a4a30ce8a17c3e47b3f38902cffdbb4c394facbe948d6b0b7f99077483708f8bc03aa40fb1ddba2c18033d52719ac47baa

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

              Filesize

              488KB

              MD5

              15137620fba9c2013dfa9107be4321d5

              SHA1

              31c790632ae19274fc2ed7e1615458324bc199bd

              SHA256

              37cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604

              SHA512

              e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3

            • C:\Users\Admin\AppData\Local\Temp\$$a7167.bat

              Filesize

              722B

              MD5

              310b1e3973a3d4326f9b75ee0c2847ad

              SHA1

              072a3dc4ab9f97ca45f625197cf874bc44689d3a

              SHA256

              bad59992bd05c689a5980b8dd7e9df0eac6315039e7f8240955bdb41d26651f6

              SHA512

              ca3d8c1a7faca9a640b5c5b13fe08272d47b484c144663ecb2c61648095b9d0fe52002148fb7036f61f16e63d68e3ca6cec5a34eed05f7b0d9cc1219f692756a

            • C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe.exe

              Filesize

              97KB

              MD5

              713a30695b671b6e3b19b7d09f9d8409

              SHA1

              83916537c86d7dc1043c752f195f04fa42813afe

              SHA256

              6b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08

              SHA512

              a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              0e8792b58f9237e03516447b7048d63c

              SHA1

              6f28494f0766ee470bbced1fe79fb10e5fee8252

              SHA256

              7e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956

              SHA512

              6b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5

            • C:\Windows\system32\drivers\etc\hosts

              Filesize

              842B

              MD5

              6f4adf207ef402d9ef40c6aa52ffd245

              SHA1

              4b05b495619c643f02e278dede8f5b1392555a57

              SHA256

              d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

              SHA512

              a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            • F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\_desktop.ini

              Filesize

              8B

              MD5

              331b730a7f1adbf1f0bc05e0c610f0f1

              SHA1

              2f2283f84f040fbd4ecf99055026b70bb3b732ec

              SHA256

              2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593

              SHA512

              16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

            • memory/4068-9-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/4068-0-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/4316-18-0x00000000021A0000-0x00000000021A1000-memory.dmp

              Filesize

              4KB

            • memory/4316-22-0x00000000021A0000-0x00000000021A1000-memory.dmp

              Filesize

              4KB

            • memory/5040-20-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/5040-2772-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/5040-395-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/5040-11-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/5040-5817-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/5040-8606-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/5040-8965-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB