Overview

overview

7

Static

static

3

c1c0fa86d4...4f.exe

windows7-x64

7

c1c0fa86d4...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe

  • Size

    285KB

  • MD5

    7ddcb9f08defed78ade5024d31f1f920

  • SHA1

    d2475d6350f94b1ec60e755d3aa46840abfba784

  • SHA256

    c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f

  • SHA512

    d811f60d9b3a92c370dbd5d8683661b4f32e7be0394e6c84ce9458d116de6f6466987b5b3f991c481007b01c7640b82a30854e5b60336ff07114b7e277d0fa19

  • SSDEEP

    6144:Tl+aKMTi0+lfh+L5qe9T5q4GAFzWTBPMmC1UC6fOaU:Tl+aKMTi0uhMqe9ts2zWTpMmCG7W

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe
        "C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2336
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aABD9.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe
            "C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2196
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2276
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2756
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      477KB

      MD5

      c32f3ae2a93a21a604cd493d86b40278

      SHA1

      4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

      SHA256

      b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

      SHA512

      5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aABD9.bat
      Filesize

      722B

      MD5

      45ce6b505eb566da2e289e345135a545

      SHA1

      6b87970b89a8db4d4389b740203fd891221711bf

      SHA256

      14200bb10a3503006ce88e32b83f525a6c277cf5856d9950cfa5ae945afa5c9f

      SHA512

      3382fab635ac418301897da20a35e1cc2fa42d390961c5b226ca52deb4e400636e657b883b82961c7ec8a94321f5f0b3ff1be73b22a1fb3abae4bd0734337a2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe.exe
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      1c1a54d9be781116b0eeb13e29df2877

      SHA1

      27bf3d81ae73403cff58875a67d86e9cd4b83aea

      SHA256

      b05922fc1a2cf17f5d94a22c68dfff012367469cfc4c601eeba26e9622de0308

      SHA512

      7490c11f6e66164fe42a8bcc2488fb6d92d492b6eb7b1548d221fe61c9495cad8b740a613041c6bac91c4bc88d4c40155057c03315b5d4c7fe3241b37364703e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini
      Filesize

      8B

      MD5

      24cfb7e9169e3ecbcdf34395dff5aed0

      SHA1

      64061d8b0afd788fb3d2990e90e61f14010896dd

      SHA256

      e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

      SHA512

      a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

      Download Submit

    • memory/1212-33-0x0000000002E00000-0x0000000002E01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1976-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1976-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1976-16-0x0000000000440000-0x000000000047F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2484-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2484-37-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2484-2905-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2484-4202-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download