Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:14

General

  • Target

    296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe

  • Size

    6.9MB

  • MD5

    d3cf3c033abfe78b61f54db44392dfa1

  • SHA1

    413305dd293e3073ac3e73b9c75c432e50cee863

  • SHA256

    296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674

  • SHA512

    02c3b903a1620512d2ab141e3eaf6a7d1b9ef86e60119adf2289d70668db2c6f6ccee32e40c3714966943fedf1ae75b801787f00e0903cade718eed2ff6f4eaa

  • SSDEEP

    98304:nxC3ud6MOIvysiWCQKzo5qphIHVruP3WpF3UdE1hZHEdLF9:sGQnMkhgJuP32+dmhZk/9

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe
        "C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4660
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aACAB.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe
            "C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3552
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 424
              5⤵
              • Program crash
              PID:3960
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3132
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4644
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1256
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1280
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 3552
      1⤵
        PID:2272

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        cb0376e100c5fabb8fd4a1bc56586aaa

        SHA1

        a4911bc430a25cc0bc12d8bd1ec3951acb189a93

        SHA256

        bd9cffa3e795e1bcbf898944e16fc342cd1194013f794bac72e43c96d48c395a

        SHA512

        61960694907542e18a7bd248fe0c8bd560b0d11c6b2c89fe7516cf6397b6c0f1465956c0c1e7f16515a4331dd6f9c8e305f343bcaf1bde125b92bebbe94bca1a

      • C:\Program Files\OutCompress.exe

        Filesize

        648KB

        MD5

        2459ec56df7204c9ea75865f3edaf357

        SHA1

        1db0c61c9453472f4b137fbf77e21acd6c46d281

        SHA256

        d434334ba4bd8d947ada8eb1ea0802cb33b316e2a4c400adcbe339385d577ad3

        SHA512

        283dabbb2360a5cb3cecbf063effded0d0dcbad5372a1ec03269db2c1a490db782187f1191fbfb036853682d223c60e012807f7fd19d2c5552c01d3c751e67ff

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

        Filesize

        643KB

        MD5

        db9bddad546005d48ce18fe972246201

        SHA1

        b0dd981322e1c1c0b5c252f47fa13264938de8b6

        SHA256

        9075cd2193d88bc34006b3ca296da52903a6cdcc326f7dc9fbe08d5ce3e653c3

        SHA512

        08c030dcad263220c4593eae14e5b7c5731df7ed8ae5f4ab454d8b981ef28caf35508ddd1ce93063dea8ad3b47b65780349db4c17bb0abdb4e930749c9c365e0

      • C:\Users\Admin\AppData\Local\Temp\$$aACAB.bat

        Filesize

        722B

        MD5

        312ff4d68570fee46638bce9a6195b58

        SHA1

        bd46876bf58870490427c6541804dfb6f65600e5

        SHA256

        edc8114f88e57767b2b338540f9017cce4139fc2b05e68e50c047798a84838b8

        SHA512

        ede6edf2623903711c717f399fce1024a3312965e977e23d037297735c908dafc0a8423b1fd3412a26af34c075a22e44a927b308782af10203387fb251b592db

      • C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe.exe

        Filesize

        6.9MB

        MD5

        45e471bd79b7ca6af28422432b9b8f1a

        SHA1

        9138450ca0af79896d2145a83692c7fb068c541a

        SHA256

        c539aed1bcff932b77d8d49486156cc0ad5496e6d5480d9ec435d76cad49d73c

        SHA512

        9af63626b790f63c85ab93d17243dd154f56108931609ffa75d174cde0a5feb540b5e7e24209feb7ca2f87088eb0421e6bed1f94c7a4c893b7b84c440c286f4e

      • C:\Windows\Logo1_.exe

        Filesize

        33KB

        MD5

        1c53d2c2c1bd364fe7271c3e92d2e3dc

        SHA1

        0a8092d4f1129d843f16fc6851c11ed6751fcc7f

        SHA256

        8810ec719639b333cc678599ed64e62c41e94e9998dfd822c8c9d03e542d4c99

        SHA512

        1792ffb0daa68a799a4f9502fd721895934a46bc99f14539bcafb2923ac43b124138f9efd4346cb6a757c4b8de34c2e0544b0580376a343b2607548087aba578

      • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\_desktop.ini

        Filesize

        10B

        MD5

        28a582403dbb209b6c5cb7bada9c918d

        SHA1

        db58560be63032a4cbd738d2d639e5bf764d6277

        SHA256

        b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200

        SHA512

        511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

      • memory/1460-11-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

      • memory/1460-0-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

      • memory/3132-18-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

      • memory/3132-3031-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

      • memory/3132-8-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

      • memory/3132-8914-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB