Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 11:15

General

  • Target

    29afbc7ec19c6c69386a4caf31c13dc18cf6932a58ff367185ef9d3edbf0dbfb.exe

  • Size

    5.7MB

  • MD5

    ee55149d71e222c0777d33707bcddf95

  • SHA1

    3b70b64ebd8361e3ab9e4fa8b109a96f9a7e998f

  • SHA256

    29afbc7ec19c6c69386a4caf31c13dc18cf6932a58ff367185ef9d3edbf0dbfb

  • SHA512

    04a87aea91e310e4e7cf07aa3e7fb36b4b40d2e439c310055ae4cb64e133c84e22225f19c56227240c32781de0b63acfb2f472c7266b5c91ae96f7ec8958322e

  • SSDEEP

    49152:ZlPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPn:vKUgTH2M2m9UMpu1QfLczqssnKSk

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\29afbc7ec19c6c69386a4caf31c13dc18cf6932a58ff367185ef9d3edbf0dbfb.exe
        "C:\Users\Admin\AppData\Local\Temp\29afbc7ec19c6c69386a4caf31c13dc18cf6932a58ff367185ef9d3edbf0dbfb.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3856
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1420
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46FC.bat
            3⤵
              PID:4388
              • C:\Users\Admin\AppData\Local\Temp\29afbc7ec19c6c69386a4caf31c13dc18cf6932a58ff367185ef9d3edbf0dbfb.exe
                "C:\Users\Admin\AppData\Local\Temp\29afbc7ec19c6c69386a4caf31c13dc18cf6932a58ff367185ef9d3edbf0dbfb.exe"
                4⤵
                • Executes dropped EXE
                PID:3972
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4992
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2544
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:5264
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5316
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:3396

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\MeasureUndo.exe

                    Filesize

                    495KB

                    MD5

                    64fe5e946eb14219cc147125b6b00983

                    SHA1

                    6d82df350099b04965265d9bf7cd85566a403694

                    SHA256

                    e4ae93d45f1015206776485b46f1fb7a68845c2810dc3c44c5788be773ee45fc

                    SHA512

                    d72cfe4221783aaa9acd115f35198c66dfb49f904e523d503d76190b4fd0ed38c46b8e08e3644b49da8c59325fae9adbd625292c94bc884217104370d7749d08

                  • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

                    Filesize

                    650KB

                    MD5

                    c0651f5f5ed8c9967b91a89a86cc4dc4

                    SHA1

                    6866b91667021c6cc7fd680451a5ea183dce3cd1

                    SHA256

                    d09336ea46c4c6e8b83dff2aa4bd31d9e993bcd572e6b274449adc5f9e51627d

                    SHA512

                    1cf7354f1b204415fd099c1fdaeecda5f0daec86948cee48da433d847d0ce94fee7fcf2365675868e82450891244b04902d730d6b0e0dfb5c29df1cd4b5d8ad6

                  • C:\Users\Admin\AppData\Local\Temp\$$a46FC.bat

                    Filesize

                    722B

                    MD5

                    f1625fe0cf22d3bd30071a59e9ef381e

                    SHA1

                    928e14782aa21897cb46d0c5687b6590d749d84f

                    SHA256

                    1b5dab3a79a15550e518f31fcd252a8dd283170ead443de703ac4ce67ff5dafd

                    SHA512

                    074499f84a59013765e439dc14bd210827e83ed38d1394b0926bd99cd791c0ff5e8592b9ad053ea051037d68125d30a252bdcd0fbfb40bd189921d5dfe181480

                  • C:\Users\Admin\AppData\Local\Temp\29afbc7ec19c6c69386a4caf31c13dc18cf6932a58ff367185ef9d3edbf0dbfb.exe.exe

                    Filesize

                    5.7MB

                    MD5

                    ba18e99b3e17adb5b029eaebc457dd89

                    SHA1

                    ec0458f3c00d35b323f08d4e1cc2e72899429c38

                    SHA256

                    f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

                    SHA512

                    1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

                  • C:\Windows\Logo1_.exe

                    Filesize

                    40KB

                    MD5

                    341ec829f1445cfc22901ee3564a2407

                    SHA1

                    3b7d6d531808cf3d17f484d7984c5cbb2ae6d850

                    SHA256

                    f99b2ae8656781e1be65ad464d0472b39ca4fb48a31d9949ed12b0992390dc82

                    SHA512

                    1fd0ddca12d5b9cfc5ff6c5d3fb1bb5686a6a17e552f6af631ce019bd0f0fe194bd5770f96ad5af3226de91217c9715955d211145e373904b671cf75052da751

                  • F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini

                    Filesize

                    9B

                    MD5

                    9d187c446579e70f430c5bb5556efc0c

                    SHA1

                    0379a56b3d4a9e75d426a088cd523d01929186b2

                    SHA256

                    544ddbeef004b81b45d0e94b3b745247127ea912498b2037a66e1b9e896ab85f

                    SHA512

                    6844cb10d0d40b145129edd38157ede9fdb8dacf2c8a0888c7478ff1d0346e5dfd451bb297aea18097330751ae7520761e4a51804b8fb60c19541b97c600ddbc

                  • memory/3640-0-0x0000000000400000-0x000000000043F000-memory.dmp

                    Filesize

                    252KB

                  • memory/3640-8-0x0000000000400000-0x000000000043F000-memory.dmp

                    Filesize

                    252KB

                  • memory/4992-10-0x0000000000400000-0x000000000043F000-memory.dmp

                    Filesize

                    252KB

                  • memory/4992-17-0x0000000000400000-0x000000000043F000-memory.dmp

                    Filesize

                    252KB

                  • memory/4992-5220-0x0000000000400000-0x000000000043F000-memory.dmp

                    Filesize

                    252KB

                  • memory/4992-8690-0x0000000000400000-0x000000000043F000-memory.dmp

                    Filesize

                    252KB