Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:14

General

  • Target

    296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe

  • Size

    6.9MB

  • MD5

    d3cf3c033abfe78b61f54db44392dfa1

  • SHA1

    413305dd293e3073ac3e73b9c75c432e50cee863

  • SHA256

    296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674

  • SHA512

    02c3b903a1620512d2ab141e3eaf6a7d1b9ef86e60119adf2289d70668db2c6f6ccee32e40c3714966943fedf1ae75b801787f00e0903cade718eed2ff6f4eaa

  • SSDEEP

    98304:nxC3ud6MOIvysiWCQKzo5qphIHVruP3WpF3UdE1hZHEdLF9:sGQnMkhgJuP32+dmhZk/9

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe
        "C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2928
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a67C8.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe
            "C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 152
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:1208
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2676
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1876
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      258KB

      MD5

      d950dc3af3fc1d51258004f4a9c1861f

      SHA1

      58e95819cb701f78572b883cfbbe3044c79f8620

      SHA256

      4bd5c1f973d1729c3ff30c05608449cbbde77f9968ece9bc8ff36674f53bf82b

      SHA512

      1962c170519ed83db8f42106266ee1603ec38c1dc1b772fb64197dcd02d88244e64bafed0f8f4355f4d029713bc15085a2bc44811f44a8445a3868c02b07708b

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      478KB

      MD5

      20615c222d66b46d820f440205205ce1

      SHA1

      ac06df643e8af18a5312d88a6fca54bc737db4fb

      SHA256

      19286b1fbf621a31ce34f560c63c1a811b17065756759f4523c0c389cf7304bc

      SHA512

      dd81cd82dcf4d1a9291a118a626c36cb8d9e924f0449e44f87b41c36304f430e3213ab6bcb0bd5c0c56722588a932e69be62c6df7d8af71ba1004d8ccb554348

    • C:\Users\Admin\AppData\Local\Temp\$$a67C8.bat

      Filesize

      722B

      MD5

      9d79200ee3075a0d8ef92eba1a9b18b0

      SHA1

      2877f9c4945724aeb54295a4418b22e764c7268c

      SHA256

      7da6da5d6ec4f4f0cf64d53798dbdbebbf2fcee6270b0db6a1fcad9e2f7084f2

      SHA512

      3cfc158d8cdbf8c529d36f28d676379643614c651f211ee1428c9e96090eedbe5aaca33a4a93bcd64fb2677dbbc291ea8bcb98561739a2dea027283ecd30f720

    • C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe.exe

      Filesize

      6.9MB

      MD5

      45e471bd79b7ca6af28422432b9b8f1a

      SHA1

      9138450ca0af79896d2145a83692c7fb068c541a

      SHA256

      c539aed1bcff932b77d8d49486156cc0ad5496e6d5480d9ec435d76cad49d73c

      SHA512

      9af63626b790f63c85ab93d17243dd154f56108931609ffa75d174cde0a5feb540b5e7e24209feb7ca2f87088eb0421e6bed1f94c7a4c893b7b84c440c286f4e

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      1c53d2c2c1bd364fe7271c3e92d2e3dc

      SHA1

      0a8092d4f1129d843f16fc6851c11ed6751fcc7f

      SHA256

      8810ec719639b333cc678599ed64e62c41e94e9998dfd822c8c9d03e542d4c99

      SHA512

      1792ffb0daa68a799a4f9502fd721895934a46bc99f14539bcafb2923ac43b124138f9efd4346cb6a757c4b8de34c2e0544b0580376a343b2607548087aba578

    • F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini

      Filesize

      10B

      MD5

      28a582403dbb209b6c5cb7bada9c918d

      SHA1

      db58560be63032a4cbd738d2d639e5bf764d6277

      SHA256

      b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200

      SHA512

      511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

    • memory/1280-32-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

      Filesize

      4KB

    • memory/2280-36-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2280-1597-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2280-4097-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2772-19-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2772-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2772-16-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

    • memory/2772-17-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB