Overview

overview

7

Static

static

3

c1c0fa86d4...4f.exe

windows7-x64

7

c1c0fa86d4...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 09:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe

  • Size

    285KB

  • MD5

    7ddcb9f08defed78ade5024d31f1f920

  • SHA1

    d2475d6350f94b1ec60e755d3aa46840abfba784

  • SHA256

    c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f

  • SHA512

    d811f60d9b3a92c370dbd5d8683661b4f32e7be0394e6c84ce9458d116de6f6466987b5b3f991c481007b01c7640b82a30854e5b60336ff07114b7e277d0fa19

  • SSDEEP

    6144:Tl+aKMTi0+lfh+L5qe9T5q4GAFzWTBPMmC1UC6fOaU:Tl+aKMTi0uhMqe9ts2zWTpMmCG7W

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe
        "C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6755.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4208
          • C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe
            "C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3196
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4440
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2312
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:752
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4576

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            2d550858ef40975332a11d37c322fd9d

            SHA1

            2b8dae63545cf5a8aeaa3db37b2e1fa67c3b43cc

            SHA256

            b97690f24fe742ce51326dd520f580b5798c35e023c63fea6416a756c356a6b1

            SHA512

            a46d8fabdaa99e2db4f8f3c2d88aafea655ef544cc2301466e8a09b0c626ea8aac2a9b382e938f90460044306c73005a1cf3f51e7c63dcf8e16f37ec570b49f6

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            29bab5fa7dbfd951e1c8290a8f4c2ba7

            SHA1

            7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

            SHA256

            dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

            SHA512

            5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a6755.bat
            Filesize

            722B

            MD5

            b2c3a59da9ba75c6f5f89ef6224edf48

            SHA1

            1f65a99220c20c186ade9512015f03673f991a5e

            SHA256

            fe3d81378d7ad88738e40a5bbcba1bab2196858223c8ce56c36e07951c87e72e

            SHA512

            14f4a73b40b511c2db04db7cc415b4bc9ef36bbf381cf290a7ac0178b406b29140eb15c627e0c1c521ec71af19d25d88277c54e16ed3441a303ff66d223ff5a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c1c0fa86d4280cbf2e8714ef27adfab7a7714eedf87785e2a6eba0cd0f4c9e4f.exe.exe
            Filesize

            252KB

            MD5

            9e2b9928c89a9d0da1d3e8f4bd96afa7

            SHA1

            ec66cda99f44b62470c6930e5afda061579cde35

            SHA256

            8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

            SHA512

            2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            1c1a54d9be781116b0eeb13e29df2877

            SHA1

            27bf3d81ae73403cff58875a67d86e9cd4b83aea

            SHA256

            b05922fc1a2cf17f5d94a22c68dfff012367469cfc4c601eeba26e9622de0308

            SHA512

            7490c11f6e66164fe42a8bcc2488fb6d92d492b6eb7b1548d221fe61c9495cad8b740a613041c6bac91c4bc88d4c40155057c03315b5d4c7fe3241b37364703e

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\_desktop.ini
            Filesize

            8B

            MD5

            24cfb7e9169e3ecbcdf34395dff5aed0

            SHA1

            64061d8b0afd788fb3d2990e90e61f14010896dd

            SHA256

            e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

            SHA512

            a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

            Download Submit

          • memory/3124-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3124-22-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3124-3234-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3124-8737-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3628-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3628-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download