Overview

overview

7

Static

static

3

c43c333e5c...db.exe

windows7-x64

7

c43c333e5c...db.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe

  • Size

    963KB

  • MD5

    9f6568df9df5cde5ecaac81c36afb291

  • SHA1

    e6d21d558e7b46d19bad965685d962cfb77bd760

  • SHA256

    c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb

  • SHA512

    3a72c44e89c5afc3dd416c95a87f7a33befb5b13fa9cb422404a1a9c8179fd2effac64b51e9eac61192af9fcbec0d7e31068c47c735155ff0fe1987b3fc518cf

  • SSDEEP

    12288:8RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:BBpDRmi78gkPXlyo0G/jr

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe
        "C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFA4.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe
            "C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1500
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5064
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      f40a80dfe0fb38d4a62b29f10951b857

      SHA1

      f714037242a7b4ce5553feff0ba7c591eedf8118

      SHA256

      4a64ff29c51e9dee46008d046303e6d8cca5b37edc78cf18fdb513da48c3e26a

      SHA512

      9d138a06a80b1c6c9bb022328bb44d4a94e38fecfcd6772f741569a31c3f46d02459818935b3d24de7ce403fb91b4c2d02d44ea932013c34242eec4b98d3e60a

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      de9f070e13f22428aa3a7692693da276

      SHA1

      97a4f0e29b8e4c4e411f74d71c3fbac4fcae6589

      SHA256

      1853f0f5ba7f389941dbb94109f90c9a9463fd007abcc5e992218ae379cfba15

      SHA512

      f246a74404b625cf8bba30df76a4a7dc5afe01ad1028bd1576aeec23491855a7459109cd1fc41a44edd182ce1d3c67f1d3d62e72ec33bede2a78e76136f0fc54

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      2fdcad374eb6488c8348009e911c64be

      SHA1

      0a8f2b05148a13b86d1943d3a928be129d90545a

      SHA256

      476fbeec549dc6014272c301268996bd427ff2bba11868e8741f15ae3c029159

      SHA512

      4015e13ed112f4d35c6ff54fafdeb465940dcd9e132d760778373d3a1e439d29a5e5ddfeaf20aade09b60a893efb243bd30b15deb3278a21c3e601937390feb4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aCFA4.bat
      Filesize

      722B

      MD5

      dca613d66968133d3fe1f98846cf1a3a

      SHA1

      a79d561cfbe18c8ce65a2a03f69dde1397eed0b7

      SHA256

      543812c7c4080222c39c20b8102608ef5fb932092ed0ea95dbf3af23dfa474ac

      SHA512

      3846c510d56dfdfc41d592130a5f4dc4cea836cb9ff475b49c02bd274ba68a20590511bcece35ddf1279f56c129405e28ed439d525ec1eb2e914b0b31f625f5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe.exe
      Filesize

      930KB

      MD5

      30ac0b832d75598fb3ec37b6f2a8c86a

      SHA1

      6f47dbfd6ff36df7ba581a4cef024da527dc3046

      SHA256

      1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

      SHA512

      505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      13020681bc352463cc9b9b81835adb87

      SHA1

      83d802b4c55d77c55fd8710d8d18d987253fadc0

      SHA256

      b21a89ff79da20380e9b38ef53769de93841b69ad40321bfd671389ce6554a57

      SHA512

      6f939b711c2a027fe0a2dd2645c7859e579282832c72656ede1f40e2fc706235771bb175cce287b404b89f7526ebe1188fdcbfc206722cbd748f3bfd1c4245c5

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/2468-10-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2468-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4444-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4444-2564-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4444-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4444-8880-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download