Overview

overview

7

Static

static

3

ce21a3c8f4...c1.exe

windows7-x64

7

ce21a3c8f4...c1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce21a3c8f429c06ffbe3139f9d2c81b49976cf2f3fe42e4eff8985419f99b3c1.exe

  • Size

    8.0MB

  • MD5

    bef1d5cd12e2521eb0ea27b53c5d9653

  • SHA1

    49937fdf0b646ce00d788efb53f4bf00ec95c2af

  • SHA256

    ce21a3c8f429c06ffbe3139f9d2c81b49976cf2f3fe42e4eff8985419f99b3c1

  • SHA512

    356e8827606f73491f292247684b0e96c7ee0e9ad9081ac64d447f4ed06ed3079ea42b1f199849b8eaf90c213299c0a64564388b83bdd7d236f6c1b6ca1eeb70

  • SSDEEP

    196608:yWXqhfXaZ+QdkZUO9N+e6qFFMrI7bGCcg:Hea3k16ycI+

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3376
      • C:\Users\Admin\AppData\Local\Temp\ce21a3c8f429c06ffbe3139f9d2c81b49976cf2f3fe42e4eff8985419f99b3c1.exe
        "C:\Users\Admin\AppData\Local\Temp\ce21a3c8f429c06ffbe3139f9d2c81b49976cf2f3fe42e4eff8985419f99b3c1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3984
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5D91.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5036
            • C:\Users\Admin\AppData\Local\Temp\ce21a3c8f429c06ffbe3139f9d2c81b49976cf2f3fe42e4eff8985419f99b3c1.exe
              "C:\Users\Admin\AppData\Local\Temp\ce21a3c8f429c06ffbe3139f9d2c81b49976cf2f3fe42e4eff8985419f99b3c1.exe"
              4⤵
              • Executes dropped EXE
              PID:4280
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3196
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1344
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3628
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4248
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1840

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            060347047d63427782c0376930785ff5

            SHA1

            d78f3c47a404c115d0d79a175447a47871fd605e

            SHA256

            5c5ac3fa6013be6c0602a7a6f8b24acb738e37366c43b67989091b9725adf51f

            SHA512

            9811f2721f76f6d874ac390c516a7a3d5037a82c785d0c35540353b0827ac2fe24d7f1e8be8e6ae7278b00be9aa30f4d5385076e82576b38d1c36df6b09693d2

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            583KB

            MD5

            3d13b844d2a2527640ed50d8da94b7b5

            SHA1

            77566d99b9a2938fdabcb84172496ff62957ad5a

            SHA256

            5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992

            SHA512

            72c8328aa9adf34c0fbc70a08a89fdb807b5b8fd19f35658d2a63f1044545668a21e0f973bbdf25221da9a8e93ccc5c6db4786d0a4702873a631e5a54adeaf92

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a5D91.bat
            Filesize

            722B

            MD5

            54e0c8ca533e175f5653841f964e7d93

            SHA1

            a3b4f702d70afa4f96be4f5ef5c9e83fbfadd0e9

            SHA256

            e292bdddd3587525c23d5ac7fe461579eab02a3b2c26d20a48b33003bc602b6f

            SHA512

            177b175a4b85152fb5a6767f94a954fb36c6fdfca635985e927d32c1789eb6ec35be85d37bb18900f058082027510c1496049434eda96c84d2de3f5472878eba

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ce21a3c8f429c06ffbe3139f9d2c81b49976cf2f3fe42e4eff8985419f99b3c1.exe.exe
            Filesize

            8.0MB

            MD5

            02f74b67993664fbf0c508d39ec34305

            SHA1

            f96dd7318c5f49fc05aee70f2882895eac0f7c85

            SHA256

            cb8ba69b2fc701433312e1bc73168936f266c5f6cf0ef71be8fc2989a74c5708

            SHA512

            a7d31a38cbf0cfba4973bd6e0f8833defe72beef97d586fa4bbcb5f6790e1e5fb8af0c6d09e91af6ea336540c8040384e2f613db14228279ca8b73c2b80dc057

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            f7ebb3d79ef53cfda9bebd3a4b0e4e0a

            SHA1

            3670512f285d65e981e9d7592844c7c42e5d4773

            SHA256

            3c2d6a686dd3a04d7e3413afbe50663a259d1fefa0bb8dfa9568d4c87bf99ef5

            SHA512

            177035a8504c5f1456659715d33968e85b291e44aa89232e96c4c52a2b2156c80f6f5639802241a46d0849f8230c9212d7fc6977b96d5c09440217ba3bad2adb

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini
            Filesize

            9B

            MD5

            7619ead719f9163af9f64f79eeff7c36

            SHA1

            7b956c82fba1f4a0ea8b09ca2e39d89159e21b75

            SHA256

            da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45

            SHA512

            29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

            Download Submit

          • memory/528-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/528-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3196-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3196-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3196-3004-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3196-8688-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download