Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:14

General

  • Target

    02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe

  • Size

    6.5MB

  • MD5

    178fa8bfc57c0f593619559868a20b12

  • SHA1

    edde5f6d54c02a1189829af8a20b9287fa9d6e80

  • SHA256

    02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3

  • SHA512

    26332a13779550fd6f26c9f21c2cc431e4a2d3153c36943397a936d05f756018ac26e8215d97c500fdd7e7438024cc442a4de4849ea68800ee30a3c3b5c6d62d

  • SSDEEP

    196608:fCzNA7rlvRz1rrFBV6tpjuj6gYPKHCKsg:fjUtYj6gYPYp

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe
        "C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA5D1.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2140
          • C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe
            "C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2836
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2152
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2892
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2764
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      258KB

      MD5

      2e8f00ea41089a9130bc63da1cfbfd18

      SHA1

      01cf1c7db88e0a1814a11122257033ce41bd5aef

      SHA256

      a2da98325e8e526fe19fefa23d1e520f628953ca9f5da53018f3ea0e0c9e40c2

      SHA512

      0ecf7444fcad6a655771f8ef5b7ad2b08b655ba272d63e5154eb9a8b593fcf7cbd2b9cbf841a8d9688f35632677792308be690b7265ecaec7c19c1425ffce642

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      478KB

      MD5

      28959031896021bc7ca9f579de2cc456

      SHA1

      3577f294e56af20384c17c2e6b30043d3fb467ce

      SHA256

      f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec

      SHA512

      8ccc791701cbf875cff76feb50e78391fdc4375e0bd78c59111a657059e2f4c8c91b8603755bd5cfc1feb1abcc98b3eda6e3f810de8e8d60eb35090eecb21020

    • C:\Users\Admin\AppData\Local\Temp\$$aA5D1.bat

      Filesize

      722B

      MD5

      70baaccef6f3017eb3019e4c0d1fc875

      SHA1

      1c62ea4c06a4bda2ba413f35f160274b763f3bf0

      SHA256

      e31c6eddd21120e672fa60e519d4c020c67ea39dd73aa16d96619294ef05b1e3

      SHA512

      c85856f0446bd1642b4bb6fe1657c7d740880a7de3f0511515ba5afd4e23ce5a65bc2ca3dcdcc860a4bb766deaf3eb2455a576f807b7c69df19ef6ab40707261

    • C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe.exe

      Filesize

      6.4MB

      MD5

      f24affc10132405930282aaeb206b7b7

      SHA1

      462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

      SHA256

      abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

      SHA512

      c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

    • C:\Users\Admin\AppData\Local\Temp\redirects\choco.exe

      Filesize

      133KB

      MD5

      d90e7a1e7632f8e5cc8cf6edf61a02e5

      SHA1

      72004beb61176285bff65f9ea36170f8347a706e

      SHA256

      535689598ec06875df0d5e3a60b37d4a7f25d97904c13c6c22156e5e79f1f395

      SHA512

      b6b51b01aa204ff7cd6b51b98bad4dcecb78f8b32ba871616039297787764b8f852c16d17da9b0aae28e7c686332c7d818fdf6762d80e915fb80001558cd468a

    • C:\Users\Admin\AppData\Local\Temp\redirects\chocolatey.exe

      Filesize

      166KB

      MD5

      5af52e83386c82a63536f4015eea27fb

      SHA1

      b160b7d8654282f7231641b2b511ae1dccc15698

      SHA256

      21ef9ee0595e8ddcd7d69bf79002b1ca04be60277a2e91c8dfb8272dffb327cf

      SHA512

      52d98979982edaaadcf078632d0cec6da585dc1e6cf9d9e75594e0c98cb99d0d638b496ddc5c4c8abf3d47000758da0a6fe74e51c2ce6634ead820b8971d6e0f

    • C:\Users\Admin\AppData\Local\Temp\redirects\cinst.exe

      Filesize

      166KB

      MD5

      9c57de2b95339834ff959dbafe8acbfd

      SHA1

      2bae31eedbfb862eda3e0c051f14bef41efa8974

      SHA256

      0cc6cd8d875e4955a4c7e5a14a75ed29620910bc90a7ccc68920bd71d32859db

      SHA512

      5deb6ba906efd1db417db1f165f93b0bd4e968900d084b069fed173d855c51177bce1f83fa6c4e8b2c7205517d6ef508fe3063e22bc200de5ddadf482082d643

    • C:\Users\Admin\AppData\Local\Temp\redirects\clist.exe

      Filesize

      166KB

      MD5

      ecc99433f78693bc1f3d00eb9e3ad5a1

      SHA1

      6ee702765220d805b844b49fea99059a368c4935

      SHA256

      29b21c4872dd9dacde93a39441959889c6a367a5c84bca598851162e8f998c48

      SHA512

      c3436592e897d842a0fe5274bcb327483a9b2801d71fb1fe07b8d68a02e684c16db3dffa7d8fcd458087520418888aad74413643cb6cc1ae198a7f7ce15df70d

    • C:\Users\Admin\AppData\Local\Temp\redirects\cpack.exe

      Filesize

      166KB

      MD5

      b39ce207bda2c90673b117760317b3e7

      SHA1

      182bd9b614d9e5003d219ddbd46727cb57a4e990

      SHA256

      58c70053203dc94f045fdd8b53fceb60da9bfc32ff56b1c6ed61833994bb1e90

      SHA512

      25bad2614e71ed99116f554f6ef667dcc95a9d83ed7810132e3b2672bee7f51ee27d50fe0a67c52d26197a85bbe8dad699dbe608e09f032533d303be4feeb405

    • C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe

      Filesize

      166KB

      MD5

      93efaad020ebe4f5994afb9a6e454adb

      SHA1

      8b85c1d8e32771f12f09ba9e930f5894bed593c4

      SHA256

      71d7948a42d68eaa2c0f2db15bcfb3ee86f41ee794969c45ea4b63f1e87a9a35

      SHA512

      cb951054d63a330de2f2fefd0b27cec9a786b224cc18e2d3be0ca0a1d48bc77431043da032e5b61931c3111db5b46e583881f938855d332a73e32645b4c22d48

    • C:\Users\Admin\AppData\Local\Temp\redirects\cuninst.exe

      Filesize

      166KB

      MD5

      44f5c164b976a1b8dc37b9afceca627b

      SHA1

      1f94dceb0b05cd9069d929cbecf5054c5775b80e

      SHA256

      8fd9902a1e1bad8d1a4e9ced5386768dd2f04257d99b73f3e5cc575783ad644a

      SHA512

      bcf335b85f1216b0f5c22c7f8a65b78ca284312787377360d42f946833e6cc79a23447acfbef06060c88dfcf742b6c52cf5ab5f97f0d509fd0b8cfc979dcf8ed

    • C:\Users\Admin\AppData\Local\Temp\redirects\cup.exe

      Filesize

      166KB

      MD5

      0ec3809dea6547547acb9104a692921a

      SHA1

      5edb48b5c045df9ddd8acbdbd5194e5b0b3f62f4

      SHA256

      0350a99b7c85cd21e22cbc990b4a2db8d27dd24bb100ddfe096000e6a5bc3954

      SHA512

      2f514dedc832b59a36d7cbab8c65015a426d9ba9fbd4de10a5071fad145241b22d5a81d4fa65c36030fc701e989a97abf310b70fc86eacd47494a9b638035539

    • C:\Users\Admin\AppData\Local\Temp\redirects\cver.exe

      Filesize

      166KB

      MD5

      d242c8f1f34adc4e2a18d7664b980044

      SHA1

      e4580cff26ed508f5abdb3f1a67470ba647554ae

      SHA256

      a61ab0eb1680fead55a37630d822c6d4e25a53437fcf2d4521f52852f5db7ecd

      SHA512

      bb257601f49c81f9cf3a29776fdbed0bb6b468c12e568a1abeb462e7d467fc5194b56425fa48c7ef242979190ae5bb58bae25971ed7b82df479d6f9378b7012f

    • C:\Users\Admin\AppData\Local\Temp\tools\7z.exe

      Filesize

      317KB

      MD5

      e21f5dd05257ece5fb64430b77cfa5c9

      SHA1

      3bac7f4dbc6e5bd4531d0f48aa6fc878311c5608

      SHA256

      d293bdd8180921bfb31cb8afe91d7339acb3cee4c406df6c56c87f9460932b44

      SHA512

      82588d57617eff7f8419b8830dd332afe0aaf9b284e6dee1aed05c8c3a79dc73fa031670fb14a0b81ec27cdb59b97d2aa41e3edd05b7f00f8eab0c4a11cbebef

    • C:\Users\Admin\AppData\Local\Temp\tools\checksum.exe

      Filesize

      61KB

      MD5

      3f7b9b16fe7c0c3130ddd546c3f82c75

      SHA1

      d6ac383d6dcabaed425096bdcb94b4e59641f9ec

      SHA256

      1f865c638c4da788a5d517a0a11727338f58cbe5d57d6b822f5bd06415cb8b9f

      SHA512

      d2842c34b74a56345c90ab6797d25d793d72b3987022a6e405b62bba15f11653735d521270f1512fd63257281594874e028d3a6adc03ed0632a495b217b0782e

    • C:\Users\Admin\AppData\Local\Temp\tools\shimgen.exe

      Filesize

      228KB

      MD5

      16996e59468c0b980e9e71e1dfde5edf

      SHA1

      a9217ebff1cc074753499184f9b9a5abc97f89f7

      SHA256

      56833a73e78aac21aa3b88724564a6fc0e4b348014b162865e1f4f82aac1833d

      SHA512

      f876552307b7c167b6104c3cefe6fe07522e0fd91caacb8014fc4efc2be06399363bdd21a3660c633dc93849d1e453b8c22b45613ec9d7670d7b8aee058b1bd9

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      4b59d42c30960693269448e00b2ffca6

      SHA1

      cd5f11fe1cfa26eef8d7b9e90ae2346b0d8cf562

      SHA256

      6a1d9701474cb7644e120689be4c71fe45f978be0c2934ff91481124c1f14363

      SHA512

      07fb18f632389983cc70432e59a247d94325da55f793c04db33d078c1d199628da9ccf45488610b3db25ca8c54f161630c7bb478e0a286babf42e168217a8ca1

    • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\_desktop.ini

      Filesize

      10B

      MD5

      28a582403dbb209b6c5cb7bada9c918d

      SHA1

      db58560be63032a4cbd738d2d639e5bf764d6277

      SHA256

      b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200

      SHA512

      511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

    • memory/1192-138-0x0000000002580000-0x0000000002581000-memory.dmp

      Filesize

      4KB

    • memory/1880-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1880-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1880-17-0x00000000002A0000-0x00000000002DD000-memory.dmp

      Filesize

      244KB

    • memory/2152-19-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2152-3072-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2152-141-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2152-4300-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2836-26-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

      Filesize

      4KB

    • memory/2836-27-0x0000000000970000-0x0000000000FE4000-memory.dmp

      Filesize

      6.5MB

    • memory/2836-30-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

      Filesize

      9.9MB

    • memory/2836-136-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

      Filesize

      9.9MB