Overview

overview

7

Static

static

3

c43c333e5c...db.exe

windows7-x64

7

c43c333e5c...db.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 09:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe

  • Size

    963KB

  • MD5

    9f6568df9df5cde5ecaac81c36afb291

  • SHA1

    e6d21d558e7b46d19bad965685d962cfb77bd760

  • SHA256

    c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb

  • SHA512

    3a72c44e89c5afc3dd416c95a87f7a33befb5b13fa9cb422404a1a9c8179fd2effac64b51e9eac61192af9fcbec0d7e31068c47c735155ff0fe1987b3fc518cf

  • SSDEEP

    12288:8RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:BBpDRmi78gkPXlyo0G/jr

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe
        "C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFA4.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe
            "C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1500
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5064
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3480

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            251KB

            MD5

            f40a80dfe0fb38d4a62b29f10951b857

            SHA1

            f714037242a7b4ce5553feff0ba7c591eedf8118

            SHA256

            4a64ff29c51e9dee46008d046303e6d8cca5b37edc78cf18fdb513da48c3e26a

            SHA512

            9d138a06a80b1c6c9bb022328bb44d4a94e38fecfcd6772f741569a31c3f46d02459818935b3d24de7ce403fb91b4c2d02d44ea932013c34242eec4b98d3e60a

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            de9f070e13f22428aa3a7692693da276

            SHA1

            97a4f0e29b8e4c4e411f74d71c3fbac4fcae6589

            SHA256

            1853f0f5ba7f389941dbb94109f90c9a9463fd007abcc5e992218ae379cfba15

            SHA512

            f246a74404b625cf8bba30df76a4a7dc5afe01ad1028bd1576aeec23491855a7459109cd1fc41a44edd182ce1d3c67f1d3d62e72ec33bede2a78e76136f0fc54

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            2fdcad374eb6488c8348009e911c64be

            SHA1

            0a8f2b05148a13b86d1943d3a928be129d90545a

            SHA256

            476fbeec549dc6014272c301268996bd427ff2bba11868e8741f15ae3c029159

            SHA512

            4015e13ed112f4d35c6ff54fafdeb465940dcd9e132d760778373d3a1e439d29a5e5ddfeaf20aade09b60a893efb243bd30b15deb3278a21c3e601937390feb4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aCFA4.bat
            Filesize

            722B

            MD5

            dca613d66968133d3fe1f98846cf1a3a

            SHA1

            a79d561cfbe18c8ce65a2a03f69dde1397eed0b7

            SHA256

            543812c7c4080222c39c20b8102608ef5fb932092ed0ea95dbf3af23dfa474ac

            SHA512

            3846c510d56dfdfc41d592130a5f4dc4cea836cb9ff475b49c02bd274ba68a20590511bcece35ddf1279f56c129405e28ed439d525ec1eb2e914b0b31f625f5a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c43c333e5caa6db50059203a8056b36f9bbafe829be60c07cf1f84e425c25fdb.exe.exe
            Filesize

            930KB

            MD5

            30ac0b832d75598fb3ec37b6f2a8c86a

            SHA1

            6f47dbfd6ff36df7ba581a4cef024da527dc3046

            SHA256

            1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

            SHA512

            505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            13020681bc352463cc9b9b81835adb87

            SHA1

            83d802b4c55d77c55fd8710d8d18d987253fadc0

            SHA256

            b21a89ff79da20380e9b38ef53769de93841b69ad40321bfd671389ce6554a57

            SHA512

            6f939b711c2a027fe0a2dd2645c7859e579282832c72656ede1f40e2fc706235771bb175cce287b404b89f7526ebe1188fdcbfc206722cbd748f3bfd1c4245c5

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\_desktop.ini
            Filesize

            9B

            MD5

            c20162cff0e529974834e150d7e6691f

            SHA1

            512e9821581354bd8078227ddf386b17e771ff38

            SHA256

            82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

            SHA512

            c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

            Download Submit

          • memory/2468-10-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2468-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4444-18-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4444-2564-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4444-11-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4444-8880-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download