Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:09

General

  • Target

    b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe

  • Size

    251KB

  • MD5

    8310c43cfe4ed25e7ee8be6b81e4c156

  • SHA1

    9701a8d8c4e20f668bc320d91736653c782534c7

  • SHA256

    b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230

  • SHA512

    08bdbcd2dc4d1fab3c0f9b3f1062c798da64c9d4ff88b31471c90026bdbed8ca7acd33723c45e56d6bd0a4be95a4fd4b5113a54fe76dc545fee1d4dad5006075

  • SSDEEP

    6144:SYqml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:SVml5a6EdkQgUmR7G9QK3wJx+qSfF0

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe
        "C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1748
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a688D.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe
            "C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4932
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1840
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3640
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4856
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3876
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3100

    Network

    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.190.18.2.in-addr.arpa
      IN PTR
      Response
      73.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    No results found
    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      73.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      73.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      577KB

      MD5

      7864a3f777019c73ad26ab282fdaba77

      SHA1

      c46f6b0c3503911395a1d13ac2f7884a20a76382

      SHA256

      f3117732a9955b7a81629f8f4e3feba53ff1f1491c2c49c6b2d76a1fa64b0545

      SHA512

      94191a3fde694d248ace8d212253821f502d5e592ab2f4cb1d137c7c55645d218b48839a00e8a87a6e5ef31138e700e3e56c2b6d84e0c4e8291394df45261645

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      644KB

      MD5

      9044b8cb7dee805474f46fdff328cebb

      SHA1

      1cabc4c6c2c86cbb78765bc9dbc34fb343a473d2

      SHA256

      62fedddac5d2bc0012582f6d5c8a62f1cfeb146338ded33892f3e2e9a3080618

      SHA512

      4c3baf797abb9745bd194cb39da4f7541273d5ceb694929e562b3823118a8851a9b5dde4379d3936ca8fc233339560f7716518a62b421a2fcfe228d1037d9753

    • C:\Users\Admin\AppData\Local\Temp\$$a688D.bat

      Filesize

      722B

      MD5

      ca353bf9cb107528437a08d3f27bd763

      SHA1

      5461650d2789e76705e99e0237b78a4e7da2c5da

      SHA256

      27d831bab37e71756c478f8f121f3f9f8de0ca3f3101208c0aaf738cbc8ef1a2

      SHA512

      ccb2c169c75ac45b80063fabd2d984c81faf610ac7e64a21fd39476e701861f58e4f3a50fe7fc7aa1288de0578f97d16b2392db447af0e49cfd26a3c671e7ec1

    • C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe.exe

      Filesize

      217KB

      MD5

      021c57c74de40f7c3b4fcf58a54d3649

      SHA1

      ef363ab45b6fe3dd5b768655adc4188aadf6b6fd

      SHA256

      04adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef

      SHA512

      77e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      3253bf7588138d1e39d3105c7b5dc8b9

      SHA1

      b26c43ff51ce241d473aa3efa30cd3b3bc68e43a

      SHA256

      63554e061f95eb7f63c9d50e7c14fc88c1cbf4db277efaefe1bea2388f9ed5e0

      SHA512

      cd45a96ada3daa5d2386ef9d5ded03a7e1e6f5c800bf01d02c1289c2e5234b8ed2b430ad0438837b32da22a753d07b0d1ee918dca8567a8c6c3619a8050c3bd5

    • F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini

      Filesize

      9B

      MD5

      82fa69b12ac2df558c85e86426eb13eb

      SHA1

      ad90b8756e3bebe04450f6950419c761844d7b7e

      SHA256

      f7622a3740b818722e46a36b5aeb1c0ba6bec25bec811e3dcfe0b5ba1d728775

      SHA512

      3c4da39d3b0d68ade3ff8ded69bf1e78a1ef88f7ed70c85572ae06e6be78155ffc2f557f577208e579191be2d8be2a1fa833b9ca74a35bb69cf9c32c23f4d99f

    • memory/1412-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1412-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1840-8-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1840-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1840-3246-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/1840-8575-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.