Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 14:55

General

  • Target

    5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe

  • Size

    47KB

  • MD5

    a5b10f2d2b138f11d8985765bcb9f8eb

  • SHA1

    aaf6cdb38c6650fae32fa17abb4d2d8a0eed388f

  • SHA256

    5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d

  • SHA512

    026bc2a5a10a9723fc036083436ca07a16fcc62370f0ad599a1bdad77a51e4d24a582eebe2df9010affa045910646f22a456ca67d0dbb00b1df50e66d3031755

  • SSDEEP

    768:F/M3UpQFJFKZj1PVs9Ag1vzbExhU1GBRSkjiFWQ3655Kv1X/qY1MSd:Fecx1aeg1vye1MRS5HqaNrFd

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3188
      • C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
        "C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3800
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3912
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2DC.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1860
            • C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
              "C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"
              4⤵
              • Executes dropped EXE
              PID:4508
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4768
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2184
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1184
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3156
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2936
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:2204

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

                    Filesize

                    258KB

                    MD5

                    0b13bc356da9ab8c8c3b34a9cc4b1b77

                    SHA1

                    eae4523bb908335e1c253cf339f20c80746b7735

                    SHA256

                    35269339dfac2f4ff18e696d97215de68692d671da2224aa8327ceadcafc09dd

                    SHA512

                    6a7ee3e68114f51c4898c66ea0d9cb1c885fa38188947c700773190885ec543a2eaa83b851b14697fbcb5bdf28b2741ab36dd61c994884c46e504bdf57e62bf8

                  • C:\Program Files\7-Zip\7z.exe

                    Filesize

                    577KB

                    MD5

                    10cb9686fd14b5753e3f1f5cd69f7bae

                    SHA1

                    dce890e909e8c9343b403ea4827b81ad122505b4

                    SHA256

                    36fcc82d1e6a3782e5aee3f775429557630b9e9ff0bd6dd5eabbf2041a35f5eb

                    SHA512

                    cf55a34e0bdbf30935a53839242d01733692ec6c7af55a651f07ad6df38a41bea317a988ffc5de179b2867fe5f66779572da130514802098d6b87eed19c93ac9

                  • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

                    Filesize

                    488KB

                    MD5

                    aecf142251e06e96eaedc5e1bc04568f

                    SHA1

                    ab26d8592d875b0cb0718cd50749031d2ad5674d

                    SHA256

                    c818541311237aee2228d5c92a777196ffa06b936c6a7b2f1ddf3b5b30270cc0

                    SHA512

                    f6082135cec17dec3291a86a4d023589c3def12f788e169ecc7c8d4d7a80c6f0ba1f8db09ccbbd390d320a108376e65a01862b093f02ab617bc6addfde9b7d5a

                  • C:\Users\Admin\AppData\Local\Temp\$$aF2DC.bat

                    Filesize

                    722B

                    MD5

                    8043366aa39495cd6bdd031e523b41df

                    SHA1

                    e975d39a02d56c2bc61636e025fbb46ec9040c41

                    SHA256

                    5cf9d2600ef0b193e43727d9f636fc4569817e8f9532b0a10d30c0812fa4f2ca

                    SHA512

                    502a912d507bb75c341aaf5d6268c73c978e7504781b3ccfbf4b0f11320f083b004fd42aed9cb903b1926a62ed1454fbf68acdc5ff940093ef0da5f708571a7e

                  • C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe.exe

                    Filesize

                    14KB

                    MD5

                    ad782ffac62e14e2269bf1379bccbaae

                    SHA1

                    9539773b550e902a35764574a2be2d05bc0d8afc

                    SHA256

                    1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

                    SHA512

                    a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

                  • C:\Windows\Logo1_.exe

                    Filesize

                    33KB

                    MD5

                    021a2a0555836de111f013f5eeaaa5f7

                    SHA1

                    2d6048f2500d31afe6028b89936901de4f59e0c3

                    SHA256

                    9e9e8520278bfdad09f0e7caee657288c69006bf8d40cda2ff811a14fc6db2e5

                    SHA512

                    d2b9f264971ddafab44bff6584d74ce983635a0a727646068bf0c7d2db26ca524b6a4d343726f1dae93548230a9e2686691e22ddcc0e018df1bdd0bd18af9032

                  • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

                    Filesize

                    9B

                    MD5

                    fa1e1ef0fdda97877a13339b28fa95e5

                    SHA1

                    7e2cffca41118e7b2d62963bd940630b15b85653

                    SHA256

                    968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191

                    SHA512

                    3d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f

                  • memory/4768-18-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4768-321-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4768-2334-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4768-9-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4768-5289-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4768-6892-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4768-8779-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4848-0-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB

                  • memory/4848-11-0x0000000000400000-0x000000000043D000-memory.dmp

                    Filesize

                    244KB