Overview

overview

7

Static

static

3

c0c87e144e...02.exe

windows7-x64

7

c0c87e144e...02.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0c87e144efbc0524ce47cd0d8ff331fec468f1314e5c74f7bbf9096eb10c602.exe

  • Size

    47KB

  • MD5

    7719bbc1959cc7a434f835d3385e4a86

  • SHA1

    616c15354877c0fbae08eddb999ad257bdcf52a7

  • SHA256

    c0c87e144efbc0524ce47cd0d8ff331fec468f1314e5c74f7bbf9096eb10c602

  • SHA512

    796850fe98045f862efa4df9b5a96201f30b3c93a87e4298678f281ff41a2aed94c7512cfa718c463a403b03c07224e5f62fc995e5d9c6b815d5cc5db65e9d99

  • SSDEEP

    768:/WPcTO5RroZJ76739sBWsNscWlM3dN9N3ZjfPPELqYJUukGdKETL4Ibq:/iSe+Zk78NR3dN5nPEhXRTlq

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\c0c87e144efbc0524ce47cd0d8ff331fec468f1314e5c74f7bbf9096eb10c602.exe
        "C:\Users\Admin\AppData\Local\Temp\c0c87e144efbc0524ce47cd0d8ff331fec468f1314e5c74f7bbf9096eb10c602.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4892
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3868
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4362.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5048
            • C:\Users\Admin\AppData\Local\Temp\c0c87e144efbc0524ce47cd0d8ff331fec468f1314e5c74f7bbf9096eb10c602.exe
              "C:\Users\Admin\AppData\Local\Temp\c0c87e144efbc0524ce47cd0d8ff331fec468f1314e5c74f7bbf9096eb10c602.exe"
              4⤵
              • Executes dropped EXE
              PID:3044
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4880
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1900
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3604
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4572
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3804

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            56dff40d6b9bd9c0faa93c001703a62a

            SHA1

            5382f5e3cb2a4a1d952a1a352383b042dba9ce70

            SHA256

            fcdedf720a1d38c2626c8c6541644ceab2fe9fde50fbfa5a9665a1cc6a45091e

            SHA512

            6b239e3df43002e5443a072f3e92f3d1f076ffa1fa51bff2ea0534d2e75febc86a0089f4c9f5797a28ec288a6273128229095cc08230a3f9d352abb19f8acebd

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            b06c23c388c6c6a3219fdaf5efaabccf

            SHA1

            ada13c3c4449d222de774ebd037078ba31d33cd2

            SHA256

            8efeb8be3a4ae59e4106e6c1d9e122d8ecb84b71cf01796f27d94ecfe80e0809

            SHA512

            aefc2fbbf660ee465ac7f174ab8f3de242c352d473a02ee96214d29a5e854e88c7ad842685bdb81698c8d51e0b597d7379c3a039e704839be748fe96a68c23b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a4362.bat
            Filesize

            722B

            MD5

            2429c3ffa73d0ae00ee36401871bd87d

            SHA1

            eb468cfb5142f49cee1549737f368d7595710a80

            SHA256

            10f0c2e03244f6903772a218645dced377137301982821f7d26dc42e8825117b

            SHA512

            c0b18234166132e229fbfa7c8acf30466b0bdb588319af76222bcc81b0ce57e8c427d3856247fb7b975efbdc1b6abd3c0ce3bea08e8a11a8e66976397344766c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c0c87e144efbc0524ce47cd0d8ff331fec468f1314e5c74f7bbf9096eb10c602.exe.exe
            Filesize

            14KB

            MD5

            dc6311fbfd49f41fbf35860a30e68355

            SHA1

            b08b15be412e843acaf7ad5e6df0ef1e8bdb465c

            SHA256

            ffdf81680522029c2eb578a9f442fd9692900a5c782c711e35203fb2d25620ba

            SHA512

            5e2938f5a8396154928a7d093db3843d73497cea4f49c0f1b77e3aac6e29d1db7f0ad4518587c336f0dfccb67ff33aac8e12afa70503504c5d8d46d12a86e453

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            f45e6c5efcb60796280b160b181a07dc

            SHA1

            8d175dae2c97edaedeb1693ab2f1b4a9b9d981d4

            SHA256

            7447829ed8519dd4ee03c37defff6d9c5f2bf06e2ae605da9efece0c495f5844

            SHA512

            1165d2d74f5a0dddd6d99f320c4563a1625da3b8125243baee289ce747c1665766e8dcdd6ae259e11efff5b27e572a8f432c3a85260d677874c7e1dbbcf5d088

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\_desktop.ini
            Filesize

            9B

            MD5

            392ab9dcf5a9daf53626ea1f2e61d0b9

            SHA1

            0a2cdc7f8f9edf33f9fde3f8b90e0020190c8fb7

            SHA256

            9bbc94aad502d7d7a7f502ddb9cbd93b1c89eff13e445971c94ac09215ada67d

            SHA512

            5d1fea63a7793a65dc63c32cfe3ab2e1af941ded8e760f08fbe991e5b30433f86f920d717235a635020740c8f6f7996b4b8e8147e331b29141fcbb7bdc68144d

            Download Submit

          • memory/1940-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1940-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4880-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4880-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4880-5220-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4880-8703-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download