Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 15:04 UTC

General

  • Target

    7840a14789419b38f59a1349227bb56fc4d60ced4e739cb948a6e30238e13bef.exe

  • Size

    67KB

  • MD5

    e3bac44d78f58b0bdebbeeed924f66cc

  • SHA1

    b695a49effd2e98a93113f38639eb60bae35dad7

  • SHA256

    7840a14789419b38f59a1349227bb56fc4d60ced4e739cb948a6e30238e13bef

  • SHA512

    5cd9dcad02572e244c2449a895433abcc5d6886f2ab8b20e10d2bfe356ba4a75821d85ecbfbaa1fe3f795d9b02073af45a53e3615a2641ffe023c7c98312f543

  • SSDEEP

    1536:2HvaYzMXqtGNttyeiZnZLYm1DvVfqzlledcTJzz:2HvaY46tGNttyeQLYm1DvVfqzlvTJ3

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\7840a14789419b38f59a1349227bb56fc4d60ced4e739cb948a6e30238e13bef.exe
        "C:\Users\Admin\AppData\Local\Temp\7840a14789419b38f59a1349227bb56fc4d60ced4e739cb948a6e30238e13bef.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9398.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Users\Admin\AppData\Local\Temp\7840a14789419b38f59a1349227bb56fc4d60ced4e739cb948a6e30238e13bef.exe
            "C:\Users\Admin\AppData\Local\Temp\7840a14789419b38f59a1349227bb56fc4d60ced4e739cb948a6e30238e13bef.exe"
            4⤵
            • Executes dropped EXE
            PID:2836
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2088
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2720
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      258KB

      MD5

      308deba8cdbeb1c11955907d34c3de33

      SHA1

      c56a66de3645a62b2acb5afd91a8d23db6b1af50

      SHA256

      42fee24e0cacb6432c0cd897ab36e6866d9fab80aeba2eb51ed3032a8eea593a

      SHA512

      07ff8ce6f416bba75c166a035e15550f86d6b073abdc6f765030864b19c498f35f5803f7e14c48a5f1582aa5ad73a7ff614dfb6dac89bf474a1b6ba50d8e61b3

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      478KB

      MD5

      8570085d6376ce20619da309fc24d598

      SHA1

      26e5e2041b4a2085e461394522d544cdd1784938

      SHA256

      5a7bdabc9772cdb871fd25438f84260cec940dd512a00064f98fb7b00f528199

      SHA512

      1f436a715e9b013fcc4c74aa06022bbee257ac76453ce419e12fd3d4f0ee2418b4f96d244be5112cdc938906ca0940c3d1650ae1fe962b8b004a433144da29ea

    • C:\Users\Admin\AppData\Local\Temp\$$a9398.bat

      Filesize

      722B

      MD5

      0327ec6de3f90ba9fc0a34662b4a4d65

      SHA1

      e83de4bc3c9670542f0dc361f36372d2ef21803d

      SHA256

      3bc264c8abacdbfcf348ed9358dee38e3538c01454f7cb6134529b960395e3d7

      SHA512

      63a5cdb938189d16578798b510c24a474248703c4307cd8c8809316a9675d2e17b8c202fa235f9eb651e92ade36261374088faa75c556556ea1b5011c277f4fe

    • C:\Users\Admin\AppData\Local\Temp\7840a14789419b38f59a1349227bb56fc4d60ced4e739cb948a6e30238e13bef.exe.exe

      Filesize

      33KB

      MD5

      64f8db30b16d1c755d033d069c70d2d1

      SHA1

      04e8f26c383027cc63531f48477424bda65b14e5

      SHA256

      0823bf7a2c453892ffa4328a970a417e0907d584bfb7f819ed0f4bb139d12e55

      SHA512

      f461b40de656e6df6360a1ba393b000720c0ffa91147b00ee42aefccb4122da4314ce4de00364e692a0517f5e6643fe061b232fb316e993642f2d43b393b38aa

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      bee6df131a9c9bccab2c2e85139f6842

      SHA1

      d7d095b827384b3b5f4e0cf9b8afb543998f1796

      SHA256

      1a8911fd47aa3e98991935402374717b26afeed5d8eb431edcd4625f1a16f962

      SHA512

      2457aa406a3010ce789237d55fa17fc0f5694c847699af8044f21ea935179ffc69056c0c2ba4ba3eee3158c51afb2d11d2c372eca3e1ca77c44545cb74cd4812

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

    • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

    • memory/1256-31-0x00000000024A0000-0x00000000024A1000-memory.dmp

      Filesize

      4KB

    • memory/2284-35-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2284-21-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2284-2964-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2284-4159-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2904-19-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2904-18-0x0000000000230000-0x000000000026E000-memory.dmp

      Filesize

      248KB

    • memory/2904-17-0x0000000000230000-0x000000000026E000-memory.dmp

      Filesize

      248KB

    • memory/2904-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.