Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 14:22

General

  • Target

    86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe

  • Size

    74KB

  • MD5

    b34193e981ef61d9e0005a6a19eedf84

  • SHA1

    f8095cbf39092fb306002cd4f58146cc50a81985

  • SHA256

    86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18

  • SHA512

    47db1bbfc19948f06c53eb2ce68ae89b309a3fe4d6f5c20b1c11ea2f3b8b6c4b09fe797610a6f814e147172b11ea46ecc65786a5fa9f0632f63663aa9c0bda4e

  • SSDEEP

    1536:6Hcx1aeg1v9OQZVUKM6+kKpNEToa9D4ZQKbgZi1dst7x9PxQ:6Hf9lOzKM5p9lZQKbgZi1St7xQ

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3240
      • C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe
        "C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1304
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4584
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4ED.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4560
            • C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe
              "C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe"
              4⤵
              • Executes dropped EXE
              PID:1416
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:488
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3264
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1092
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3884
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:4512

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

              Filesize

              258KB

              MD5

              c9badcb684862f516b396d44b56baceb

              SHA1

              0d8eabcdc92e05177e46da3ea05ae2f41b01416c

              SHA256

              14c73a5bd721c24ebd8109d5d9a1e7dc8802c1bef0401cdd123ab41ae381c609

              SHA512

              543671893e74c261f12be887a10669dae034fcacad4998ae5282fe102aa4bcdcfa0776a9667f32f60fae93acdc5c2ad23f11ad330354295e9e44a67bc1dddb68

            • C:\Program Files\7-Zip\7z.exe

              Filesize

              577KB

              MD5

              5aac7583510ebed6b8057afd1b55dfd3

              SHA1

              403d071ba18ca5251c300de07bf79219bba33e8c

              SHA256

              93a36984edc02b39685f692eb85eaf1cf3a02ce9767a2c4b5e38725e5e200adf

              SHA512

              e4ebe57faa33924f168d121a346b075e29b4fa018b5dadf7f55a322262730f76572e46c316e6429d8fbb3fd0b3443429e4dd34b4f0bc7fed3b4126f592a09899

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

              Filesize

              488KB

              MD5

              964c45500f6fef6457766729643729f0

              SHA1

              dee95a0dff13be023265725d4f9da2a861313d51

              SHA256

              1b4d273efbdbb6a7d03027e2b308d1c520fc23378667c1d938c51c6dfd416944

              SHA512

              11dfaf885a77a60837d5400cf2cb6cb314205484075c02f683c8bcaed748619b02a5b701a7c19738f58036b7c3d1e73b92799a9aa0e6f5d7a6a890b35fc323aa

            • C:\Users\Admin\AppData\Local\Temp\$$a4ED.bat

              Filesize

              721B

              MD5

              ec5e0721278c2a4723e358cb26d48d44

              SHA1

              bc44b684be52881bf8212e6cd2d6a570b2a9b22a

              SHA256

              1c2d089bbb921e5179e6b2d643387b790d4210d6aa81c5ccb56ff861cb70651e

              SHA512

              5ebcafb6889664e889065530df6acb93aed8bc6d3e2cc8103576bbcaf5f288f1a7bc47a7546fbb9ccdda6b3de1e8b962cfcc239e8a9a58fad48643e0b5b60c6c

            • C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe.exe

              Filesize

              41KB

              MD5

              977e405c109268909fd24a94cc23d4f0

              SHA1

              af5d032c2b6caa2164cf298e95b09060665c4188

              SHA256

              cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

              SHA512

              12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              7a091274be36971fce58dba0c887a23e

              SHA1

              1dcc358a109927e63e11775b0f38cca741f8d230

              SHA256

              308ea0a61b9625ffc055c1709dfa413e77ef4d9e01926435215044f6e9ab8757

              SHA512

              9497df8f2d42a38e831fc72c1c0f57f9a120afce4cf93b5b0c7f4462ee3f3fed722ad02733b6919879733fb06136e925a8ab6e62aaad63bce02b1a6fd6858607

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

              Filesize

              9B

              MD5

              4b2b75605a65a6762ec4715de0a70902

              SHA1

              3b85993ef06d2d814abc405188fdd19a1bffea0c

              SHA256

              77072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e

              SHA512

              888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65

            • memory/2388-11-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/2388-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-17-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-64-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-1333-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-2497-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-2760-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-5084-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-5581-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-8-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-8132-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/3740-8776-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB