Analysis

  • max time kernel
    150s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 04:55

General

  • Target

    73141311c62e269e0c546e341d6c30030defdc3c2d893b0bcb36e77c0ca144ff.exe

  • Size

    33KB

  • MD5

    820143c947ab5434bd7b8c34ba5dc5eb

  • SHA1

    a5a2bf184cd3660354e5737bf3fce81b4ad48617

  • SHA256

    73141311c62e269e0c546e341d6c30030defdc3c2d893b0bcb36e77c0ca144ff

  • SHA512

    291081637d5f02a2b72d566ebca598b41f5eb080231923523b221f1e2a770341c1b73c3f3115c70018b30fef74e89738db4d670741a4eade1fadd9a5ca9e211e

  • SSDEEP

    768:JTJYmMUElOIEvzMXqtwp/lDTJg/MFksCRsd2u9C9MFWoVaZel:JT/aYzMXqtGN/CstC9qVF

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\73141311c62e269e0c546e341d6c30030defdc3c2d893b0bcb36e77c0ca144ff.exe
        "C:\Users\Admin\AppData\Local\Temp\73141311c62e269e0c546e341d6c30030defdc3c2d893b0bcb36e77c0ca144ff.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1048
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7zG.exe

          Filesize

          717KB

          MD5

          9d0b5b2173909aa831f5c2ef2da67f85

          SHA1

          98dc68e36f7251fc30306647bfd73bf19cf52538

          SHA256

          6a860d739c1f97ff8411bde9992dbc0bc6289af179dea6edd1d5f394096da220

          SHA512

          3187054b746c8c445a89dff0006a3293ba25b47f9b207f1eaa89455573f3e4b8d6fe22d3896cd4e7f55b35d7875528d9c122f3e471267724bd9fcb3ca78584e1

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          478KB

          MD5

          77ec999dc753d70d4a8fbc32a98efb2f

          SHA1

          172ba524961356c8cf218baf27e14c66a07ffefc

          SHA256

          7178ea26cd9a2cd05e48e5d856a330d3e276d798d14aa10852df737f141dfbc5

          SHA512

          67d6a5f5034c44c4dbd5df9f61dc7754a1981040f04e2bd8159b8311f9b57009d731ac051a7751ff4674817f3d6f2c3fb5537046a289f45ca038d10084b6bd58

        • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini

          Filesize

          9B

          MD5

          1368e4d784ef82633de86fa6bc6e37f9

          SHA1

          77c7384e886b27647bb4f2fd364e7947e7b6abc6

          SHA256

          57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

          SHA512

          3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

        • memory/1212-5-0x0000000002A00000-0x0000000002A01000-memory.dmp

          Filesize

          4KB

        • memory/2152-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2152-9-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2152-1797-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2152-3285-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2152-6323-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB