Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 19:58

General

  • Target

    1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe

  • Size

    33KB

  • MD5

    b59d8960d516dd1c8af90e16e9b32606

  • SHA1

    324f6305151e613b528ec016c57d4fb17d6c2743

  • SHA256

    1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35

  • SHA512

    07d576132e937b630b066b16b45ae4ebe7b4b7c941b774c61423a32d03a8e11709929f1b837ef08378e1502deed0abeb49e6523f728a32f303ae8976d61a6b78

  • SSDEEP

    768:AZZZZZZZZZZZZZZHO5RroZJ767395uINH2iTQKvFrQ2XKxgkQe:ADe+Zk77RNH2iT919XKKkQe

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe
        "C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2608
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1200
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2624

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          258KB

          MD5

          283f68a6ebd27193167b0d393e0854c1

          SHA1

          69e7e2be3615cda7f36ea083f8a0ab7bee51bdbf

          SHA256

          1ea60a85ed4901ceb24b582d53251a8a4565fe7baa5fa3b61bdbdd8152bd93bf

          SHA512

          2ab41536a69db38af5ec16f82bf633eec88797733654bdee5c3ec098839806106934e67f9390c1c4b5702094ae7ba6adf32896a4c7d4d095c3b2d2c8559d6350

        • C:\Program Files\7-Zip\7zG.exe

          Filesize

          717KB

          MD5

          a54a6af3da296876302cc37eb781bad5

          SHA1

          5176268af0a0acf3108cf41ada70051115ab073d

          SHA256

          dae65a4be9e5c6e874a11208bf59de285f314beb0d1e5097192fa768ddeb085b

          SHA512

          f8edceab7769f98d540466ab6beaa136ae15f976960eb5166c4c18da568128761b9de915f978ad31b935b12fb9434222102a013ccaa0851b11262cefa1a95f5a

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          478KB

          MD5

          1e8cb3f8c1780c774b7d6fc122826f12

          SHA1

          475708a1f29a9529d3d471a2cea5c64513ab4128

          SHA256

          65f0e48a590681fd14bf38dbbf806d91d1c8db9c6a90399e7082c4073472d206

          SHA512

          fe2689bbf2605cc654553e8ea014cb415bed633958011742c326edfb9bf8aaeb8d72ed0ccc28f27ed470307e11ed2c2149f662dbc54d415657a2a2dd179cb139

        • F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

          Filesize

          8B

          MD5

          331b730a7f1adbf1f0bc05e0c610f0f1

          SHA1

          2f2283f84f040fbd4ecf99055026b70bb3b732ec

          SHA256

          2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593

          SHA512

          16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

        • memory/1044-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1044-7-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1044-1743-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1044-3966-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1044-4063-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1204-3-0x00000000029F0000-0x00000000029F1000-memory.dmp

          Filesize

          4KB