Overview

overview

7

Static

static

3

bdf03f55bf...ef.exe

windows7-x64

7

bdf03f55bf...ef.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdf03f55bf486ad0e8cc24a2cae4174991fd3b52761bd46d256276fee5e2c6ef.exe

  • Size

    397KB

  • MD5

    790d0221d5f73ccd0e130c74d6da4509

  • SHA1

    cc47b6f1e376d18e821d16190928c85eeb623b2f

  • SHA256

    bdf03f55bf486ad0e8cc24a2cae4174991fd3b52761bd46d256276fee5e2c6ef

  • SHA512

    f80603e466394e1b8da1053bef4408e07be673cce4e793cc7cf8ddc1b7bb71ffb9fb56eb2c337de9e53bbd7d1ba4b50adc173a4bb16533f023611e4db0fa4268

  • SSDEEP

    6144:t1qe1ISynDXYQ/BWJjmpgtBZQZKQj8p3jyb7HREd4SZ1tzLbF:t1quIFDXYJmSTZwYp32bY4qtDF

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\bdf03f55bf486ad0e8cc24a2cae4174991fd3b52761bd46d256276fee5e2c6ef.exe
        "C:\Users\Admin\AppData\Local\Temp\bdf03f55bf486ad0e8cc24a2cae4174991fd3b52761bd46d256276fee5e2c6ef.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3204
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a59.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Users\Admin\AppData\Local\Temp\bdf03f55bf486ad0e8cc24a2cae4174991fd3b52761bd46d256276fee5e2c6ef.exe
            "C:\Users\Admin\AppData\Local\Temp\bdf03f55bf486ad0e8cc24a2cae4174991fd3b52761bd46d256276fee5e2c6ef.exe"
            4⤵
            • Executes dropped EXE
            PID:2076
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4188
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4292
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:552
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2176

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      eabcd538f504610ed542dc20ec7662e4

      SHA1

      7e2511244c6dd3d004d76aa6c41423e4890e9009

      SHA256

      d4d01768dd44f6b98cbff4b056f49c7a7121489fe389c8b7f7438d3716b6db8f

      SHA512

      d1b9ae56ccc39a29bbc9710a81f8a953ec2b579d64c8e3a64341d2b34920ea30729ec060e9281fa474f46746f798c473f819bf5a423bee6e0b879687cffcb897

      Download Submit

    • C:\Program Files\LimitMount.exe
      Filesize

      782KB

      MD5

      01d2ee2bd5d05c626adef6dbd42002d8

      SHA1

      ec677fc4cfdcca9510ef3221ad487caae745e6e1

      SHA256

      a6ff43694fe8eaff00d2e5a107e36277b95d716b2eb54afb4ffdcf403bfbbed2

      SHA512

      9b171df54e90fcba11d9c0d552748306351b5c90b1751394e3b6c2943a29030045628f2a0ffc01fa1aa644b4a7ee0e1a118056a63b40b9b159d2fc3f687518d3

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      ab2cb63e497f09bfe8be14bcf0f680b1

      SHA1

      d116c92ed3c487a1dcde68e4e58e66a535627fe7

      SHA256

      c60d34a999168bdce718de1e1e2642d8903fde2c2359e4850ca852995bc62739

      SHA512

      f54fc6ad7bc41b97b6f600304f5e4cf7eddd733a018116282cf0b53c8b4a3b78b738011e70113420093320884099bc70908731e277e0369de0e7df67d146a21c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a59.bat
      Filesize

      720B

      MD5

      7063d707a0857a4752232c785682cd0b

      SHA1

      8e8c39cc69c7cfb893964e89cf8a21f9d7b094b6

      SHA256

      f2b55d17a9538ed9da41c435b2408f4bad36eac29c6a513e5430662f2e02359b

      SHA512

      1041c40edde948f9e19019d2e301982483d1e4042ec5b90487c1ce52f66ce23afea24995f012b7c5c68b409a8c4230d05400d55f187391712fb66da087c87021

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bdf03f55bf486ad0e8cc24a2cae4174991fd3b52761bd46d256276fee5e2c6ef.exe.exe
      Filesize

      364KB

      MD5

      213eeb5e8f54231f68e5b26a0fc81bd1

      SHA1

      1bc31a42536eacbb57d1cd92ec4b5524a82264d2

      SHA256

      b309045509efc205eb35d6037d64640093fde6c54ec5934e329b447417005a50

      SHA512

      ce35c5f453126c98329df141f821c55692f9252549c76921c231d8170df356cda1689e636758519c0b6898f11b5c836cdb4967d296b99f915e4d1980470a083b

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      e66ec81a55072abc67e5c48adc2f771c

      SHA1

      b7b45b11de92fafe2ccd0c5a0a1a1d24991eba5a

      SHA256

      6a9fa6177b7f71bfa63a0274a9832d18bfecbdc663bf23e1580203a5456b8a90

      SHA512

      097f9f98618b195a7af7814e7eddba5ce1c25bd3a0d7818e79b4dfda1d6d20b08b0f28dec64278015a62fd5a3bf7495ae2d65ccfa1c48fc7a30a6eb3d9cd8287

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/2736-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2736-2475-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2736-11-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2736-8841-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3008-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3008-10-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download