Overview

overview

7

Static

static

3

c16080fcc2...0a.exe

windows7-x64

7

c16080fcc2...0a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe

  • Size

    72KB

  • MD5

    5dd18ff4345abfe77af08f42d954cd63

  • SHA1

    8a513783bc18aab4fa066e67718f638519144a1e

  • SHA256

    c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a

  • SHA512

    25413e9a76a1e77bedd62c3bf0b34cdcd016c5076f2bb53596d8d5fb83110ed19246fc61358bc2b1830afda74661e23d524e142136f7bf56ab2b25ea346f1906

  • SSDEEP

    1536:8Ze+Zk7VJbwlYXjPrsqrZMYR5p8wUawuzXv4exFRKs9uhh:8Ze+azbRPrlr9RXFUawuzX+kuX

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe
        "C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2480
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE0DD.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe
            "C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"
            4⤵
            • Executes dropped EXE
            PID:2760
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2972
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      264KB

      MD5

      1038a37911d8a59884082ac4626fbe00

      SHA1

      967559027438b9df24825cda3c4b27c95c00240b

      SHA256

      9d74986df799a28318be3bd2929d5f09cc271e529d3452740d394e6f6703bebb

      SHA512

      b6bb6fa807698c1ba462135aee57b9e56ee0a5f09a13dc141767a9a1afe604cf6a493f1962fe7533f744f6c36a1cf9a16cad14d42f34a3b63edaf7e40c4f40b7

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      484KB

      MD5

      a803cec17e97a23f06f00bad17aa1236

      SHA1

      7a5c9795e740bbf318d745de0eb80adb7d74538d

      SHA256

      2846d29686b5eef885188d8c5dc0ff71e19a25d497490f99f99e837959a7b7ff

      SHA512

      ca0b62858ee4af691cd9dfa6c9325d4dbe1e2dd232c8f30e24156dc9560211666724e41e305467475760b80bdbed429887e2032191147c60504fb04e512ca620

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aE0DD.bat
      Filesize

      722B

      MD5

      f6b7168988cc2cc10a4414e9d83b3042

      SHA1

      f5af729a8fa4436c8c05a7fc0723b2f2cc6050bc

      SHA256

      6819ec37ab4d30e9379975970cc5086db4cfd6f9a72b2fe3db330bb3bc7bd61e

      SHA512

      5b4df180eceaca0ac66d8641036f499216c1db18427a9c7d57912ee495ccdaabdb2d83736ffecdc6809c918879add3ef98e0642167ae0f0676f92b2a349d42e0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe.exe
      Filesize

      33KB

      MD5

      1af55e19c1bd264d635aa202f0b3e628

      SHA1

      e7cc75ca40566fc257974340b611ba24ed09b3f3

      SHA256

      e2bbf624927463534b2757974ef38f453faee9564736e4672e1481273f6cfc48

      SHA512

      bb967372d392f4e320490212053fbb09637b472b3636443c7dfd1dde993ee91a7033a4c48ac9e25ebaf20d72c9f3dcb9d497d6b153ee7bdf65389caa81996f71

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      39KB

      MD5

      f35e32a3178395fde5c2c5e175b803d8

      SHA1

      eccedf8d29589cd2ad9373d0aacac048ed606db9

      SHA256

      058f3ceaaeee9cee06b5a049dd92851472f140dc5a634014242471698301d73e

      SHA512

      f2edb5bd0899f34b6b2da7c115fea3b2d9e0812934ed71a183a8ca0a2a61a484d5213f54908148c309396fdabfc054af8fa9387997aa8cce991da927c33fb6f7

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini
      Filesize

      8B

      MD5

      5d65d1288c9ecedfd5f28d17a01a30bc

      SHA1

      e5bb89b8ad5c73516abf7e3baeaf1855154381dc

      SHA256

      3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

      SHA512

      6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

      Download Submit

    • memory/1184-26-0x00000000025C0000-0x00000000025C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2408-30-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2408-2999-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2408-4189-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2504-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2504-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2504-12-0x0000000000440000-0x000000000047D000-memory.dmp

      Filesize

      244KB

      Download