Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 21:30 UTC

General

  • Target

    c7a6f364861f0be5ec5744c6679900042ae054e5bd7ab305d6d4901ac2648a49.exe

  • Size

    5.7MB

  • MD5

    095b3b1e47512ce55e8da5e8b261eed0

  • SHA1

    2c77c301952e600f09bda2d1c86abc6074cac51f

  • SHA256

    c7a6f364861f0be5ec5744c6679900042ae054e5bd7ab305d6d4901ac2648a49

  • SHA512

    7ed211e5cfc4efe4cff3fa3cd6c67d3216b277abad5e6bcc5448ec41bee51c105872cf87a4b4f3347a7d8118c4b8132d283c0afdb63cd3602f52f38f879d35be

  • SSDEEP

    49152:GPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:YKUgTH2M2m9UMpu1QfLczqssnKSk

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3460
      • C:\Users\Admin\AppData\Local\Temp\c7a6f364861f0be5ec5744c6679900042ae054e5bd7ab305d6d4901ac2648a49.exe
        "C:\Users\Admin\AppData\Local\Temp\c7a6f364861f0be5ec5744c6679900042ae054e5bd7ab305d6d4901ac2648a49.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4888
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3752
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5B5E.bat
            3⤵
              PID:2276
              • C:\Users\Admin\AppData\Local\Temp\c7a6f364861f0be5ec5744c6679900042ae054e5bd7ab305d6d4901ac2648a49.exe
                "C:\Users\Admin\AppData\Local\Temp\c7a6f364861f0be5ec5744c6679900042ae054e5bd7ab305d6d4901ac2648a49.exe"
                4⤵
                • Executes dropped EXE
                PID:4756
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4120
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2156
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4344
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1328
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:1368

            Network

            • flag-us
              DNS
              209.205.72.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              209.205.72.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              80.90.14.23.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              80.90.14.23.in-addr.arpa
              IN PTR
              Response
              80.90.14.23.in-addr.arpa
              IN PTR
              a23-14-90-80deploystaticakamaitechnologiescom
            • flag-us
              DNS
              73.159.190.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              73.159.190.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              183.142.211.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              183.142.211.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              58.55.71.13.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              58.55.71.13.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              50.23.12.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              50.23.12.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              171.39.242.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              171.39.242.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              172.210.232.199.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              172.210.232.199.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              29.243.111.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              29.243.111.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              211.143.182.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              211.143.182.52.in-addr.arpa
              IN PTR
              Response
            No results found
            • 8.8.8.8:53
              209.205.72.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              209.205.72.20.in-addr.arpa

            • 8.8.8.8:53
              80.90.14.23.in-addr.arpa
              dns
              70 B
              133 B
              1
              1

              DNS Request

              80.90.14.23.in-addr.arpa

            • 8.8.8.8:53
              73.159.190.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              73.159.190.20.in-addr.arpa

            • 8.8.8.8:53
              183.142.211.20.in-addr.arpa
              dns
              73 B
              159 B
              1
              1

              DNS Request

              183.142.211.20.in-addr.arpa

            • 8.8.8.8:53
              58.55.71.13.in-addr.arpa
              dns
              70 B
              144 B
              1
              1

              DNS Request

              58.55.71.13.in-addr.arpa

            • 8.8.8.8:53
              50.23.12.20.in-addr.arpa
              dns
              70 B
              156 B
              1
              1

              DNS Request

              50.23.12.20.in-addr.arpa

            • 8.8.8.8:53
              171.39.242.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              171.39.242.20.in-addr.arpa

            • 8.8.8.8:53
              172.210.232.199.in-addr.arpa
              dns
              74 B
              128 B
              1
              1

              DNS Request

              172.210.232.199.in-addr.arpa

            • 8.8.8.8:53
              29.243.111.52.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              29.243.111.52.in-addr.arpa

            • 8.8.8.8:53
              211.143.182.52.in-addr.arpa
              dns
              73 B
              147 B
              1
              1

              DNS Request

              211.143.182.52.in-addr.arpa

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

              Filesize

              258KB

              MD5

              ded2175b2df67275abae4ba15944c7c6

              SHA1

              15e16af64183f29b566f558c36802e3e34e1205d

              SHA256

              1e717899d86e8cf36ad797b533b4a43a58f9aba162dd8b4d4ee48ed6af64e16a

              SHA512

              5d97130a356fd02f2837680b6d0b0d9c8e2ab37e6a167898acb29b44f35b7feb0d29f6dd2cde547255ba7e83e89ff9563edfe2f2781de84e4e99716c7a6a56b2

            • C:\Program Files\OpenExport.exe

              Filesize

              260KB

              MD5

              27053d71e8982e577f5227c72c9c6e7f

              SHA1

              f4940bde5bde8e18f3e38e8e49569c99c852188f

              SHA256

              ec143b0de8a36ddcce9e5c338e2cef9da26b7a2af1d452bcb531540a7ca0bc14

              SHA512

              ff11579c2ae7c7ca89f0bb96cc4074d14a54588b3964405199c38034e263dfde1d2759b0f88c6881bd1adc5291e507969347197c9194af4eb1179f89ab869c3d

            • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

              Filesize

              643KB

              MD5

              2186e704236b47c2268b5e251f696330

              SHA1

              101fdc37baf83fed8f6f8b55f1594a13e5060c4f

              SHA256

              ece9f7bb3d56dff6b865be7804d66254865ca7211619d517a7cf35cabba05144

              SHA512

              f0b451724fe6aa486002e6c86951e0089f5bc6f7cca6cf3b0c9cc8fb55cec0e5ae428c5ce00774e7d71b6427261f37573ffe385cac023f213e438fc031fda806

            • C:\Users\Admin\AppData\Local\Temp\$$a5B5E.bat

              Filesize

              722B

              MD5

              61fc6fc35a46142b5cc2919553f8ca30

              SHA1

              d171a3880723268d818cb1a893719c4dfe1dbe1d

              SHA256

              28c807b99413c86bcf01acf6d3fd5a888da6f02b54a1daef4c52de34821aa945

              SHA512

              24764eecc8852a2ea3513f7c4204f8ad8758bdf6da455776bdd559d1e2f8e78177961a31fdbb2267ac7c0650763285d411b33b3b3759ffca216e92136bb2c2fd

            • C:\Users\Admin\AppData\Local\Temp\c7a6f364861f0be5ec5744c6679900042ae054e5bd7ab305d6d4901ac2648a49.exe

              Filesize

              5.7MB

              MD5

              ba18e99b3e17adb5b029eaebc457dd89

              SHA1

              ec0458f3c00d35b323f08d4e1cc2e72899429c38

              SHA256

              f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

              SHA512

              1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              02ae2f4f874cd3f8b010ee3e202c593a

              SHA1

              bd9f1e0c977439f32db2d9368f2741eba46d68dc

              SHA256

              b5a4af62bd47eb59cb99abef2d20aefc03881f37fbec23eb45a786ab9b889efe

              SHA512

              8d93eff82209c4934b53f461d8730b9b09e0f353f272cbc4ea81b538f2b3e30eafbc5df8c30a27ba20d1a79a0204063f217f8bb0b4a9497ebb62bc91101ecd83

            • F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

              Filesize

              8B

              MD5

              87cbd7a2d7bdb443a36ecfb46e39db18

              SHA1

              12aac09be13003e857809ea9434c76126ac39bbf

              SHA256

              fe5e34894849bd441c429cfd17e62e06b828a82b04c9f0e7cadd884d78b326e1

              SHA512

              75b0b484285909c577f97dd2b748e8b6e905b2a37dc8a569519325e67cac8b8932fbbd52c754df787e2a6326a9ca575e5d37372a9635718a310c642457ed17e0

            • memory/2968-8-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/2968-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/4120-17-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/4120-3106-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/4120-10-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            • memory/4120-8645-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.