Overview

overview

7

Static

static

3

c3c1d25083...43.exe

windows7-x64

7

c3c1d25083...43.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 19:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe

  • Size

    74KB

  • MD5

    0fc9efbabada360210f3993b7aa27cae

  • SHA1

    46fd964c5efb510b9917dc3ae97abe6196de2d9e

  • SHA256

    c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343

  • SHA512

    b42d90d13e1e4472501f709ac6532bc3935caafb53049e6c0f4951245105db6b33452f5a6efb564c1aa9ea13e2906294e0a52b7408d325a0af2493fee50916d9

  • SSDEEP

    1536:DCG5cx1aeg1vlxJYDf97EToa9D4ZQKbgZi1dst7x9PxQ:+G5f9zYVlZQKbgZi1St7xQ

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe
        "C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2764
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA46A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2448
          • C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe
            "C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe"
            4⤵
            • Executes dropped EXE
            PID:2420
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1932
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2404
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2572

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            16e19604c35898365f8f791b0ce839b4

            SHA1

            a30ba6cdb303c12372210475b328949f52664374

            SHA256

            8ba99e5f289dede0fbb920ac585ec359c55035acce32cb23af9b83031e7273ff

            SHA512

            1fe473c75a7228d01d8fe44150101a60055fb7fb9f675300199622391322161bf1e06edc27ea4e25bfa0e86ad3bc3c900d098d277426bb765ecdc644023926ff

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aA46A.bat
            Filesize

            722B

            MD5

            6e585377c015e040aab5ca1170f0d46a

            SHA1

            6188c34e321ec75dcb171aa52c6c7d888dc6e572

            SHA256

            87d5c83c4965e1b1ba5be454c3b85fd09ab25e33e3143ffcb3d1ceb205c058ab

            SHA512

            6cd31cc0e5900b82bc9611046fcd37a9e5c9d083456c6a296b3331677a061af5309b882ee3e015dd22b752b3cd47e328afd25ba5db33c186a051aec6f29fc75c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe.exe
            Filesize

            41KB

            MD5

            977e405c109268909fd24a94cc23d4f0

            SHA1

            af5d032c2b6caa2164cf298e95b09060665c4188

            SHA256

            cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

            SHA512

            12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            9fb383006ea88e23b6927523f8ea7a4a

            SHA1

            a408f9bad16cfe8f36bba778a0efb645f901273a

            SHA256

            3c188d42969203e83dad09e7d67c63cfee5a6f7beee1d502108df9797ca08c29

            SHA512

            65d558ece19fcfd206188f05318183ee0919f327d6c2d8a3611edcecd8d602086f2cb209b51d2d66f7de1f2d64213479e983f57693827fcd2d20aa117e586b8b

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini
            Filesize

            10B

            MD5

            21df1f2862abbefb19b69ed364a5f968

            SHA1

            6e5a47eaef1ac9d9f355a10e4de11de5b252e6fd

            SHA256

            061a173d684fb8122f34b91ded168a81a20864be4dc9ee219ee65f9007d22fe6

            SHA512

            3364df22ff99814a7f520711ff71f3dd96f9611d954f7a11edfdb846f8c6703eea5fcadf5485a35564670bc6a484a3dd0f8a45c746dbc919d478d067e1b80567

            Download Submit

          • memory/1196-28-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2272-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2272-33-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2272-2962-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2272-4144-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2908-16-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2908-32-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2908-17-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2908-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download