Overview

overview

7

Static

static

3

c43c333e5c...db.exe

windows7-x64

7

c43c333e5c...db.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe

  • Size

    963KB

  • MD5

    9f6568df9df5cde5ecaac81c36afb291

  • SHA1

    e6d21d558e7b46d19bad965685d962cfb77bd760

  • SHA256

    c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb

  • SHA512

    3a72c44e89c5afc3dd416c95a87f7a33befb5b13fa9cb422404a1a9c8179fd2effac64b51e9eac61192af9fcbec0d7e31068c47c735155ff0fe1987b3fc518cf

  • SSDEEP

    12288:8RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:BBpDRmi78gkPXlyo0G/jr

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe
        "C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1668
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDA0A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe
            "C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2864
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2880
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      90c17b056ff9e34aa129cfc6d1ad0546

      SHA1

      20579dfe91618590d9df3fbabe4c996ee2be3f9b

      SHA256

      6f9baf6d0300c8f4b778b5d680cbc7c960e2505fcd90f17bf4725c2cdacf07a4

      SHA512

      fd12e82e10aae74c03a5c4db22d8257f927bc39bbf8b2cf2455760ef2e780e4c0eb266e18693fcaf68ea38c09bc7232c149d8f960ea621dbb1d259629dc25f4f

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      4894b8053c2c515de12944003ccca9eb

      SHA1

      4ea0ae6302fa005ca406f04f459cebfb1e339d77

      SHA256

      b467df94ef5c74edc55434535d7bc75958ac9ac0bf7e4c4ee53f360e8dfaee39

      SHA512

      e309e004620181605b4654e5ddd8fe45a76d97fb2566d99a7a35905b3b14bab7c7809b088f21ff4b6086141a835b3655c1182253907526de2c4aec15e0317742

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aDA0A.bat
      Filesize

      722B

      MD5

      b678adce1120c63492de835b2ae2c080

      SHA1

      088363d3ada174dd5fe607773918fb44fa150535

      SHA256

      f37d260c0c0763ccf566cc775d4014eb50efc310bfc45feb127dcef05e3227c0

      SHA512

      a80c3ae3822930242b7d59723a0c9adf0b1cf5b925e455ef7d4d5f5f67dd166063cbadc1dbef04780b44f76ab37306c45dafb2b44e79576e4cc03c89ebbacd2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe.exe
      Filesize

      930KB

      MD5

      30ac0b832d75598fb3ec37b6f2a8c86a

      SHA1

      6f47dbfd6ff36df7ba581a4cef024da527dc3046

      SHA256

      1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

      SHA512

      505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      13020681bc352463cc9b9b81835adb87

      SHA1

      83d802b4c55d77c55fd8710d8d18d987253fadc0

      SHA256

      b21a89ff79da20380e9b38ef53769de93841b69ad40321bfd671389ce6554a57

      SHA512

      6f939b711c2a027fe0a2dd2645c7859e579282832c72656ede1f40e2fc706235771bb175cce287b404b89f7526ebe1188fdcbfc206722cbd748f3bfd1c4245c5

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/1220-30-0x0000000002B00000-0x0000000002B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1756-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1756-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1756-17-0x0000000001B60000-0x0000000001BA0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1756-15-0x0000000001B60000-0x0000000001BA0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2804-33-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2804-20-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2804-3348-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2804-4194-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download