Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 03:38

General

  • Target

    d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe

  • Size

    145KB

  • MD5

    557c99ce56321eb3ce941b29451ad500

  • SHA1

    9b0f1f52c88a3b6901ac846b30525bcc340a86fd

  • SHA256

    d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff

  • SHA512

    99bcf9d181426d77e0b723a34e4a724314e8f491ee7f456485d74c89433d8329457a85a99344f119cc9523032187229fbfb84aacc977190782e5b7552589c0ee

  • SSDEEP

    3072:I4we+aX3zvOmZWXyaiedMbrN6pnoXPBsr5ZrR:fl+aX3LOSNaPM4loo5Zd

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe
        "C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2616
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB960.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe
            "C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2824
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2964
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2852
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      258KB

      MD5

      adce245bf56632815d54108708b35fa3

      SHA1

      25b54878819eac7cb1adb8aa2f882b7ebfcee9bf

      SHA256

      1c2725f039ba18df4d32f9702d6db923373b493620a2b5294ee213074e6c4e59

      SHA512

      8437c7889191c2e518713a55a28cc1119b6424f5a5c254a71659f383f71a81df6511eedde5c983af98934465b13c1b0bf58c952b47bc2bb9e42b145ec389277d

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      478KB

      MD5

      13689a976739ee578cca7c130b7fef1a

      SHA1

      fc996cec103246b14384ca0d44f6dda9263e8287

      SHA256

      b834be980b6259818c6bab3ea0c7dce63605f3ffdc3609c7d8969f08e149a22a

      SHA512

      ea0bdbc66ab6b830721433d7f85db4ae4e8c05afa3b72e13553f331b669b1ffe3917fad2426b6f5b21b674a7e1d88474633143c82825a6ea57b7e16778c8654f

    • C:\Users\Admin\AppData\Local\Temp\$$aB960.bat

      Filesize

      722B

      MD5

      5065599d8728c341546109e3ba5e3cd1

      SHA1

      b4c4c86b492dc80a96e7ff687dbae33344621378

      SHA256

      e3e17bf99a402a1e156581389c6ceafac3ef807dbc919e71d2215f79014914dc

      SHA512

      fc350e8a860407419e390d4be4e3d31b148a8a249e5919656c2720b4284d27c594c4fdfefb9e2044673bfab513132b70d3fbe240c8878f09fc52959cd33ff734

    • C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe.exe

      Filesize

      112KB

      MD5

      e9cc8c20b0e682c77b97e6787de16e5d

      SHA1

      8be674dec4fcf14ae853a5c20a9288bff3e0520a

      SHA256

      ef854d21cbf297ee267f22049b773ffeb4c1ff1a3e55227cc2a260754699d644

      SHA512

      1a3b9b2d16a4404b29675ab1132ad542840058fd356e0f145afe5d0c1d9e1653de28314cd24406b85f09a9ec874c4339967d9e7acb327065448096c5734502c7

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      680e1d68d1c18cdb5e1fddd097cd0056

      SHA1

      3679880b26ab1a994375a7aa9ead9b17025ef30e

      SHA256

      9f250d09197e2a3e5f063b06c9995f5802b48852f9d98af43419e119698ccbc3

      SHA512

      15b9dfc38a515ab4ee8e9eca27a5a2d223b55ec5ab517e14a94a4da32ecfcba8b9f7589c429d92472617033f757c7843119ac1ec28f373600545a66e9873553b

    • F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\_desktop.ini

      Filesize

      10B

      MD5

      28a582403dbb209b6c5cb7bada9c918d

      SHA1

      db58560be63032a4cbd738d2d639e5bf764d6277

      SHA256

      b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200

      SHA512

      511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

    • memory/1184-29-0x0000000002E60000-0x0000000002E61000-memory.dmp

      Filesize

      4KB

    • memory/1712-16-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

    • memory/1712-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1712-17-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

    • memory/1712-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2524-32-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2524-2789-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/2524-4193-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB