Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 22:29

General

  • Target

    cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe

  • Size

    33KB

  • MD5

    7514021d14a754dd434e4b38cb87ae3d

  • SHA1

    3ea156bdfea7751e851cf281b20783f3f9a4784d

  • SHA256

    cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf

  • SHA512

    78ccfd339f3d905c1e8cb072951164f6b66407b1928fa2879b53c015a89c5027e2e10f81912bf21464b35d650750da811f0975084cf91b710dd6ead8a1d90308

  • SSDEEP

    768:PvGnElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:PvUaYzMXqtGNttyUn01Q78a4R

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1152
      • C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe
        "C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe"
        2⤵
        • Drops file in Drivers directory
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2464
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2572

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          258KB

          MD5

          dabffb38234f007c501cf88551471dfe

          SHA1

          ea9f4c4f46ffd3cb73b767b729c62cfcca6a065c

          SHA256

          f4126de53afbb2a68dead67d01bae1d52b38ae711b06d94629f952099e691d32

          SHA512

          02229668f14c8057849b6e0babac2a5369e904178d8ac2ae5ac5dcff2ea659f4765b1590a4fe482165a4b2de7da43cb80c040befdf0410b3837ef7dfc915b6cf

        • C:\Program Files\7-Zip\7zG.exe

          Filesize

          717KB

          MD5

          836b1763e449d1eb16423f901f4dd5ad

          SHA1

          aefdd1f54cd43da9174a2bdfb538436e0974806e

          SHA256

          711e2fe727ad5ac117e9114a12a31c0b98e7acd968d4a3f5999ac28132df9cfe

          SHA512

          bd1d90d185e9dbe087f185369aa60137015a92148aa4af2a5aff1ea4b7b2fbfb7a099e0f586cba3f4045b9067892f8b870ea0485825840eee5b33189194753e7

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          478KB

          MD5

          db30f5e16c744915af12c09f1ccf3e41

          SHA1

          d5feb47e0ca1c47b0a4cfc90be501e97f613ce90

          SHA256

          cfc87b2273f90e5125ca09d4fed15c56a82dabc54e418301f8ce23476201950e

          SHA512

          ff466c60abd62f72cbe687d48fcc485855e0df65599da37112d3872324176bf68428c312d8fbfaf20deba2295b2c7fc51129436a73ba8bdc58836289f6a47f6b

        • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

          Filesize

          8B

          MD5

          af485d3db9f82d3e5bdc8c6d87fb742e

          SHA1

          f879c3dbd3d34e9789ff73896508bfbeabbf7468

          SHA256

          7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759

          SHA512

          d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360

        • memory/1028-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1028-9-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1028-3204-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1028-4079-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/1152-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

          Filesize

          4KB