Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 03:10 UTC

General

  • Target

    c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe

  • Size

    5.7MB

  • MD5

    40f7b3ec38608ed7c4c95b51991d9d51

  • SHA1

    d3065aa488142c6d88908507a30ccd9f2de2abb0

  • SHA256

    c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e

  • SHA512

    62ba4b506e5dca8026b22fb9c48aea154994ce65bb6b027a1c1389404ac13ad05e65af3b6bbfe4daa463680a0571f1ee530b9256073152aa301f75c61ec8ca75

  • SSDEEP

    49152:Hd+Pv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTP:HdAKUgTH2M2m9UMpu1QfLczqssnKSk

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
        "C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2481.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2652
          • C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
            "C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe"
            4⤵
            • Executes dropped EXE
            PID:2608
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2684
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      478KB

      MD5

      8570085d6376ce20619da309fc24d598

      SHA1

      26e5e2041b4a2085e461394522d544cdd1784938

      SHA256

      5a7bdabc9772cdb871fd25438f84260cec940dd512a00064f98fb7b00f528199

      SHA512

      1f436a715e9b013fcc4c74aa06022bbee257ac76453ce419e12fd3d4f0ee2418b4f96d244be5112cdc938906ca0940c3d1650ae1fe962b8b004a433144da29ea

    • C:\Users\Admin\AppData\Local\Temp\$$a2481.bat

      Filesize

      722B

      MD5

      5abf7f071e2a9e4a9c951b65cf3d99bb

      SHA1

      7ed00973dab184b4d2f169799a37fd780f95c321

      SHA256

      3dd2ae7827dbb8072932892d6cb3e246bcc8ecbf0a9fc6804c13ded51acbf035

      SHA512

      498af29bfdecc97d60df03117e44b7f3aaec5db13352ecc1b906e3777a3dcd2015aa5b5008cdbb643f5468843e93ee86d05ace36ad9073056cb3842f761a7a95

    • C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe.exe

      Filesize

      5.7MB

      MD5

      ba18e99b3e17adb5b029eaebc457dd89

      SHA1

      ec0458f3c00d35b323f08d4e1cc2e72899429c38

      SHA256

      f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

      SHA512

      1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      228292b85e0720fbeee49799c069d347

      SHA1

      a987cdff2b93fa83d2b760ba1c92296494292a8e

      SHA256

      0c30eeac64ca154562874960504b7ec78c6548d25b44f218f36999de9550ac8b

      SHA512

      cb1563d487bd1bb8b1dd1dc1d9ad192d91b4a8c9b2970f5b5afda8b8c33b5dedb4a30f143f236a6379fe49f2a421e0644de9d957068f531da0afe651376491ec

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini

      Filesize

      9B

      MD5

      9d7f3edb5e2cdb73e4fc8851e6ea812e

      SHA1

      080a9d7c6e3e34eeec65587e5727dc360fa82a1a

      SHA256

      cd2cd126bb370ff3cfc54d3031ca8d9639ca1c8e74a496cef6ed80723fa909b6

      SHA512

      07aa99922cb51be03779a4fe934dbed547ba23a19b9cfe05859dd87da95b1e54bf6bb7924bce3bcc2f8a29290d4c4703996f1e0d7837b233fd7da1374868632e

    • memory/1208-30-0x0000000002480000-0x0000000002481000-memory.dmp

      Filesize

      4KB

    • memory/2552-34-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2552-3064-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2552-4113-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2640-17-0x0000000000270000-0x00000000002AE000-memory.dmp

      Filesize

      248KB

    • memory/2640-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2640-19-0x0000000000270000-0x00000000002AE000-memory.dmp

      Filesize

      248KB

    • memory/2640-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.