Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 14:24

General

  • Target

    c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82.exe

  • Size

    33KB

  • MD5

    0d20f038ad62ff6b5fd30ce3ea460037

  • SHA1

    1a654b3d6703c1e9aab6f420ee722184179558b7

  • SHA256

    c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82

  • SHA512

    e15973fd11e948fffa2e93296070c4c90b459b869e2548e37d02add2a948f0a6b4aa84c35ee971eb994a5187f114dbccfce2efbbaf981afd1a0e47b2aa5f5689

  • SSDEEP

    768:PksElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:PksaYzMXqtGNttyUn01Q78a4R

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Users\Admin\AppData\Local\Temp\c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82.exe
        "C:\Users\Admin\AppData\Local\Temp\c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3164
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1412
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:3156

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

          Filesize

          251KB

          MD5

          8c30e30b5de6968f9d11f6f74b7d0262

          SHA1

          1cccd37fc860bb20dbbf9cef8d0155dec1f9441a

          SHA256

          5d3a6635eb7b18ba1ebe8620fc07c4155a2e805ec6191f443081e910a63db289

          SHA512

          cb014558922cf37a1990acb6e804490e44a4c8cbf4f0b9cab7aa50e31a785ecb5b9e755abf1519b968a3fc14ecbadc3177cc3ec2bf7dd8acf885f368f9f1f693

        • C:\Program Files\dotnet\dotnet.exe

          Filesize

          177KB

          MD5

          96addb85106405af15ece12c052c703a

          SHA1

          ea6fb9a6a82dae53eedb2af992d8094d0a4151a0

          SHA256

          52fa672295f42cfc4ab195215d0204b602c2200a358a5396d70abce31b085580

          SHA512

          49239018aabd9796c042d12af67d6d1311fba980d97e2635c2ee8ba3135e75d63390a5b180574f902da7c1ac991d846189f5366b933913407b7fa636804c441e

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

          Filesize

          643KB

          MD5

          635e9422a0a86f5c7ac989802b0ac448

          SHA1

          3ea9cc1462b063639526a8d278b571f38b846d1d

          SHA256

          a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f

          SHA512

          857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133

        • F:\$RECYCLE.BIN\S-1-5-21-2818691465-3043947619-2475182763-1000\_desktop.ini

          Filesize

          8B

          MD5

          1b16d2dbd4281ce4e4e5729c608dcb0b

          SHA1

          851e624080ba5598edb808d4b30fe2d74999ce18

          SHA256

          c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

          SHA512

          cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

        • memory/1532-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1532-5-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1532-5169-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1532-8719-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB