Overview

overview

7

Static

static

3

c3c1d25083...43.exe

windows7-x64

7

c3c1d25083...43.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2024, 19:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe

  • Size

    74KB

  • MD5

    0fc9efbabada360210f3993b7aa27cae

  • SHA1

    46fd964c5efb510b9917dc3ae97abe6196de2d9e

  • SHA256

    c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343

  • SHA512

    b42d90d13e1e4472501f709ac6532bc3935caafb53049e6c0f4951245105db6b33452f5a6efb564c1aa9ea13e2906294e0a52b7408d325a0af2493fee50916d9

  • SSDEEP

    1536:DCG5cx1aeg1vlxJYDf97EToa9D4ZQKbgZi1dst7x9PxQ:+G5f9zYVlZQKbgZi1St7xQ

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe
        "C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a787C.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe
            "C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe"
            4⤵
            • Executes dropped EXE
            PID:860
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3912
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1864
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3432
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5064

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            251KB

            MD5

            b1f9c1e34d386a573816e1755b55db76

            SHA1

            86caece043dd11c89236634e85b0ed836028dd02

            SHA256

            11e2be5c5c948302f0e5e74d2065f7e538d6a95ca5a9c67dcdeeb3b4058d4a33

            SHA512

            03140ee1b6347021a724682ace737bb03318f428c948edde27d390f99838841ccc8ace6d065cb4efcbbc579562e8b32ddbf922d3128f49357907b21d82173e11

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            001d1cac5c838f751117bbfeedd9a893

            SHA1

            b3bb58d621513e049aba63641ee9856f22fb3bcb

            SHA256

            6094df76076d153eb1ae0806187e04f5c2269e4628af32cd1c5dbeced63490a8

            SHA512

            01642b5cb2f912e11628f327c28533ce6e10662fb5a8ca24e4eaec6d90055afeab15620bb9555ad3eadcff3f8acc7f3dd4f72d18769093d3f333bcc3b4e2cd32

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a787C.bat
            Filesize

            722B

            MD5

            d9d575cb9f249eee3584428d86950b2b

            SHA1

            5ebad29dce34cf64e3a0449b4e31f3371efc2f23

            SHA256

            beaaa2bb09732f174fb61c2ea7c84bdf04a696e6dc137b7181c2024b9d7d0dbe

            SHA512

            51fd54f332f14d1cc35df301dea7931318a2ced1c42609c729295f4f967ccc96854f01b33434c71ccdb09f8d1253b56f98d18279f2922f2170cb793e1d138172

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c3c1d25083a96bb50a010c06655ad424260fbd79119c601a155f0c6e81985343.exe.exe
            Filesize

            41KB

            MD5

            977e405c109268909fd24a94cc23d4f0

            SHA1

            af5d032c2b6caa2164cf298e95b09060665c4188

            SHA256

            cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

            SHA512

            12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            9fb383006ea88e23b6927523f8ea7a4a

            SHA1

            a408f9bad16cfe8f36bba778a0efb645f901273a

            SHA256

            3c188d42969203e83dad09e7d67c63cfee5a6f7beee1d502108df9797ca08c29

            SHA512

            65d558ece19fcfd206188f05318183ee0919f327d6c2d8a3611edcecd8d602086f2cb209b51d2d66f7de1f2d64213479e983f57693827fcd2d20aa117e586b8b

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\_desktop.ini
            Filesize

            10B

            MD5

            21df1f2862abbefb19b69ed364a5f968

            SHA1

            6e5a47eaef1ac9d9f355a10e4de11de5b252e6fd

            SHA256

            061a173d684fb8122f34b91ded168a81a20864be4dc9ee219ee65f9007d22fe6

            SHA512

            3364df22ff99814a7f520711ff71f3dd96f9611d954f7a11edfdb846f8c6703eea5fcadf5485a35564670bc6a484a3dd0f8a45c746dbc919d478d067e1b80567

            Download Submit

          • memory/2636-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2636-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4040-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4040-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4040-3183-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4040-8716-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download