Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2024 12:08

General

  • Target

    d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe

  • Size

    76KB

  • MD5

    e07b751df71c59e42caa061542fa043c

  • SHA1

    f2ef0ab1f49fd619212a5fdb8278d1e81ea1c137

  • SHA256

    d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c

  • SHA512

    9a3b2d1cd357e6a3393bc626fea3ce01f0063c6ff09a37bee9bfa10d0c1770d6683e81a0c2d6b65efd66df3ce37ae00f2b20a30712c66248c50bfa0aeb938ea5

  • SSDEEP

    1536:Are+Zk7qzUJBC2KsgSMcJziXriw+d9bHrkT5gUHz7FxtJ:Are+aezUa6pBiXrBkfkT5xHzD

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
        "C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2152
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
              "C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"
              4⤵
              • Executes dropped EXE
              PID:2844
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2584
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2728
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1712
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2520

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

            Filesize

            264KB

            MD5

            398a7064313570d5e852fb87febbf03f

            SHA1

            117d0ca007b73a8c7115f8880f54540e37ff7490

            SHA256

            30429016be8ea9e22585980572b4b2af1ddabb9cba93e9222a231f4d95353751

            SHA512

            e96c03db73e0b3d86b6a51fcc20f4b131116b1c2a649030b8f13d60d207944bd4ec1fe734c32e3f390d454dad3f6ad780ff52209c56852cc4456559102f01c80

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

            Filesize

            484KB

            MD5

            ed07588854ba117151a141b0a96bda37

            SHA1

            78c58f4e85e9d9d4e39c230f1354e183f87bdd9e

            SHA256

            fb97be2678ad28fef1f9f5a651fe12123ebea998adbb7f96b7073612990aa7d8

            SHA512

            45487252c6da9155a3a017c5030425e80dc6fb44d88efd470179f4c9b5b7e91d0785be70d458c5c64247abf2763e514bf07989608f9307084306e65f3d76f579

          • C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat

            Filesize

            722B

            MD5

            bc074d0f0a92d33e91bad5105f8780e8

            SHA1

            2a89d8a1e68f714de4547bee64a869b413b87562

            SHA256

            29ca0a9809a4689a29b8a8219d1cbaca6acfebd013c7656e9a263fc0caeffd95

            SHA512

            b3f8ec865f9c8e594136b59e5ff20b8bcd4fd33fb0860c084c117532b49f22f3756dc24fdcdbafb66322cc9b8cbd41cdea7b3f3cb8a748cad825eb25447a5181

          • C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe.exe

            Filesize

            36KB

            MD5

            9f498971cbe636662f3d210747d619e1

            SHA1

            44b8e2732fa1e2f204fc70eaa1cb406616250085

            SHA256

            8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

            SHA512

            b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

          • C:\Windows\Logo1_.exe

            Filesize

            39KB

            MD5

            0209d825c40705a1752ceecc4fe453c6

            SHA1

            875b45703ab4a4f9b7b13c16277b235d43f075ef

            SHA256

            0fbeb3b115479ea9f34e86e511238d235b942922660740d37e9f249b4e3fdf1e

            SHA512

            b88b1ba93382a3a6fe4253a0c8fe69baa02a0c0dd74b2e6c79d7688f5c16be144676bb7bd3e061be96603148738845fddd05bbd4782d3abcb0bf495c1c96aa40

          • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

            Filesize

            9B

            MD5

            02ced53ce3f5b175c3bbec378047e7a7

            SHA1

            dafdf07efa697ec99b3d7b9f7512439a52ea618d

            SHA256

            485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

            SHA512

            669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

          • memory/1244-28-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1540-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1540-15-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1540-16-0x00000000003C0000-0x00000000003FD000-memory.dmp

            Filesize

            244KB

          • memory/1540-19-0x00000000003C0000-0x00000000003FD000-memory.dmp

            Filesize

            244KB

          • memory/2560-20-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/2560-32-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/2560-1100-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/2560-3422-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/2560-4081-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB