Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 14:53

General

  • Target

    c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe

  • Size

    72KB

  • MD5

    5dd18ff4345abfe77af08f42d954cd63

  • SHA1

    8a513783bc18aab4fa066e67718f638519144a1e

  • SHA256

    c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a

  • SHA512

    25413e9a76a1e77bedd62c3bf0b34cdcd016c5076f2bb53596d8d5fb83110ed19246fc61358bc2b1830afda74661e23d524e142136f7bf56ab2b25ea346f1906

  • SSDEEP

    1536:8Ze+Zk7VJbwlYXjPrsqrZMYR5p8wUawuzXv4exFRKs9uhh:8Ze+azbRPrlr9RXFUawuzX+kuX

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3524
      • C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe
        "C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4324
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FBA.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3252
          • C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe
            "C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"
            4⤵
            • Executes dropped EXE
            PID:4964
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2000
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4728
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3968
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      257KB

      MD5

      9a19679e0aff03d437832959348567bd

      SHA1

      644e058dd1f1616c5f9575ce93c415fe49c445c4

      SHA256

      29ab3d95ebcaeabd9ca42fe04994633e0b8f40676d6b5f326d30a01d22207fbb

      SHA512

      b4d3cd88b702ce4dcad56c2e154e6d3d3120e3ca37e72dba0b07c40c89762831ce10b039cb624e5cf7278834458681781e7ccf417925d50bfdcdd9c1711b9d1f

    • C:\Program Files\RestartRegister.exe

      Filesize

      615KB

      MD5

      bcdb20c4c2f2ecb07bbc025c7afafa68

      SHA1

      4055651e94381b3cfdbd3d785f9d9184a63d3822

      SHA256

      a0599a4c881b723f5f737a7abadcd03d2d76f37598cb131c31e7e148137cd916

      SHA512

      0c5fa71b5bb5ea49a8e01c74956a2ec42e38da2ce32716b566032757d609ea50aeaa1fb753c8fe5b91957cd80cad5926e85d4d734c21b6a6de29416d4fe50d59

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      649KB

      MD5

      3e7cc0550b3e262224a01196dcffca48

      SHA1

      84b97784946a4f4edc8528690aee26cff4a5c35d

      SHA256

      df205fe7ab5dd6c98547afe872f5b3bb66028f2cb14696fbc45610b0ef4723bf

      SHA512

      864943da2a29d2e8aaca17a10ed791f22b3387c85fe19c19dea1ab3b89b3d6540dbd187f867742967a696ba0b76ce6e576a2825cc9147d77ab79f3a4f2a4ab6a

    • C:\Users\Admin\AppData\Local\Temp\$$a9FBA.bat

      Filesize

      722B

      MD5

      947a4deab6520cb9af5c4305a0064734

      SHA1

      6fc705acfa56f99b2a2a9a09016f58f3abab2d50

      SHA256

      266ced9b95ba8ac0aeeab107f35c9ef5f1d8fae9395fd83026a05c1d8345ffcf

      SHA512

      135502ab60472ca6c3571ab8456ff33a3ac5891e1363edd49dd2f384ef65994e6d9cdc1f5ef856a8cfdf48d99d58c79c06514da7245cacdee2e16e64bcb9fbec

    • C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe.exe

      Filesize

      33KB

      MD5

      1af55e19c1bd264d635aa202f0b3e628

      SHA1

      e7cc75ca40566fc257974340b611ba24ed09b3f3

      SHA256

      e2bbf624927463534b2757974ef38f453faee9564736e4672e1481273f6cfc48

      SHA512

      bb967372d392f4e320490212053fbb09637b472b3636443c7dfd1dde993ee91a7033a4c48ac9e25ebaf20d72c9f3dcb9d497d6b153ee7bdf65389caa81996f71

    • C:\Windows\Logo1_.exe

      Filesize

      39KB

      MD5

      f35e32a3178395fde5c2c5e175b803d8

      SHA1

      eccedf8d29589cd2ad9373d0aacac048ed606db9

      SHA256

      058f3ceaaeee9cee06b5a049dd92851472f140dc5a634014242471698301d73e

      SHA512

      f2edb5bd0899f34b6b2da7c115fea3b2d9e0812934ed71a183a8ca0a2a61a484d5213f54908148c309396fdabfc054af8fa9387997aa8cce991da927c33fb6f7

    • F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini

      Filesize

      8B

      MD5

      5d65d1288c9ecedfd5f28d17a01a30bc

      SHA1

      e5bb89b8ad5c73516abf7e3baeaf1855154381dc

      SHA256

      3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

      SHA512

      6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

    • memory/2680-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2680-2545-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2680-9-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2680-8311-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2680-8758-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/5048-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/5048-11-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB