Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 09:32

General

  • Target

    335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe

  • Size

    33KB

  • MD5

    9331307acc6ea0119adac27759d11956

  • SHA1

    10cc3b729963eaf37ece65bfb77e4baf37a47003

  • SHA256

    335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d

  • SHA512

    9da4e4b2a124a3d1f25e22efe0681edb9ca900b03ae907fca9f320ef64ff05cac5cf6598c8c3f3af7bba561d927158de2362d8100e62081482c19af40fa118a8

  • SSDEEP

    768:FlSTRgpQFJFKZj1PVs9Ag1vzbExhU1GBRSkji:F4Tncx1aeg1vye1MRS

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1064
      • C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe
        "C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2852
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          258KB

          MD5

          faaa09cb2d9197da4a00a0df01ac2e5c

          SHA1

          ce497e70212da947764b054c161a468be867cf1b

          SHA256

          51d9d9203fddf941f10518b44fa657ea3a68c2156ba573b36cbec3c8959992c6

          SHA512

          98feb4b1927fe22b02fa5169dd77b774b8d467ff71ca6b5d6f5244723e6d4ce118d647821db2e1cbc8441316fdbec463bd1d06ce3a398b3ed43c7834ecbf43c6

        • C:\Program Files\7-Zip\7zG.exe

          Filesize

          717KB

          MD5

          2ed78a6c3ceb05a797136801832362d1

          SHA1

          92b80be47703bcc757ebd271989a06746bd3136b

          SHA256

          879d0c9b666fdaa2d6d8c75778ff85c5922942dd99eb21ee1e4cef4ada3f9b5a

          SHA512

          547f99bbabca1991c4623a3593e22491a277f53be488abe737152268f1478a5937d6fa3904e2d3b24d964f8422e18e863e49b6c3b766b9f2db7f99b14662bcdb

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          478KB

          MD5

          5e54b5419052a6321d15fe6088be5258

          SHA1

          420003c0ad68fa2b977bee9e2ca2d1a53f8f1ec2

          SHA256

          142a70f95c82ea8acba8d3550273a20411a5b82f6d1b1c9657db51c3f83d5d97

          SHA512

          6d2d2025ed17d6f730d3fbb3a5549e60cfe951c7d9e0063f4ecca045ee28a375eac11fb9aa9cc484b181369165a0f7abae967807bad16aac0e4b60b7a8092f71

        • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

          Filesize

          8B

          MD5

          a6f28952c332969f9e6d9f7d1a449737

          SHA1

          31c0826adb63cc03162fb9e88781f4b50da8f11b

          SHA256

          d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208

          SHA512

          8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

        • memory/1064-3-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

          Filesize

          4KB

        • memory/2924-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/2924-7-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/2924-3254-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/2924-4076-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB