Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:14

General

  • Target

    02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe

  • Size

    6.5MB

  • MD5

    178fa8bfc57c0f593619559868a20b12

  • SHA1

    edde5f6d54c02a1189829af8a20b9287fa9d6e80

  • SHA256

    02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3

  • SHA512

    26332a13779550fd6f26c9f21c2cc431e4a2d3153c36943397a936d05f756018ac26e8215d97c500fdd7e7438024cc442a4de4849ea68800ee30a3c3b5c6d62d

  • SSDEEP

    196608:fCzNA7rlvRz1rrFBV6tpjuj6gYPKHCKsg:fjUtYj6gYPYp

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3360
      • C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe
        "C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4048
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aABFF.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe
            "C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:320
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2928
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      251KB

      MD5

      25289b652ba570bb7865014294dbafdc

      SHA1

      3b9853b795419c9d08b3fe88705d7a1b38fd6399

      SHA256

      211cd6cf08591be8bcf0ea63c6c6cdbcd2439b61062bc9f8dcd4e91250891b9b

      SHA512

      7465aea7eacf5674305e2e4d8722723e06e1761f48a2fc5ad26a04561589bf6465abfc6696f931407a49e80288a681bc07ca078361b0f5be30e6903168d36082

    • C:\Program Files\FormatRead.exe

      Filesize

      488KB

      MD5

      088cfecffaa7ad64f6b0317f3dd70054

      SHA1

      720fbc36a55c2fbe0ef2610d89093f8ed0bbaf98

      SHA256

      006ab9587bb2d6a0ef067df8840f9b303d361032f50cec8e8dbb94954bf20025

      SHA512

      6936f8ca350b1d09c63e422801599fef0da289bb0eb81d0e4d3b5b0397e46f9ec661454e45bd1b641a2a7d00215ff9a290b0f0e6c83b9cd8e5078b07926dee50

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      643KB

      MD5

      efcce7232eb78a3095a2cedcfcff1d26

      SHA1

      fcecbd07f20e3500faa209e80cf1c78af3fd10a7

      SHA256

      c091a8efdac1e393ae2cc2b45686cf63b9ed2ad73d7b334031a13fa340f65429

      SHA512

      d787335cb0f515a626e16f6d99ce151eccbca0f7888db2405bdc2445e96afff22afe292a06d57b6f8ae6c24ea3c8d114649b23b2cfe7352f921e55e47503fef4

    • C:\Users\Admin\AppData\Local\Temp\$$aABFF.bat

      Filesize

      722B

      MD5

      56b953210101fe2830c8e75b114b344b

      SHA1

      8e38aee6d71585684c06cdd95acf881b0acc4a9b

      SHA256

      5ca3d3273f1ceb79f62e64f5d1aa29438556c309de627c1130b4d4ce1007d281

      SHA512

      38b2170e246e591382495d37683951e78b1df0b0d395dbb0ba0a2a2710e3b997d172c3c130864a0cb921eafd7f31eb05327436c7e0a3630812f446438f2e7be3

    • C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe.exe

      Filesize

      6.4MB

      MD5

      f24affc10132405930282aaeb206b7b7

      SHA1

      462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

      SHA256

      abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

      SHA512

      c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

    • C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.2528.update

      Filesize

      9KB

      MD5

      78e591860832608ebc49dddd9fc0e1db

      SHA1

      d927f135f15190f95805dd8bfe6df0de20dfff53

      SHA256

      ccb5f71ce184e151412a8f04144011ba4da50371c20ef12778d276577f691f9a

      SHA512

      57f334f57f0aaba4238e7ce834784dece8e81cceae248999f1a45aa8fed0b86fe20f3d6ac6fb3649cf653e9f65f3b35695e203f1d6ed1e54e073df10fe008fc0

    • C:\Users\Admin\AppData\Local\Temp\redirects\choco.exe

      Filesize

      166KB

      MD5

      10aaf2cebba115d53566b56f9fae1326

      SHA1

      a52d2e0102ece5cfd4a95fb4bec0f0bb47af1545

      SHA256

      64f47b2c959d0bfa493e104796ff25b2e9159cae1b4bb8dd12e2a9bddac4c384

      SHA512

      bb6b913fa1364fb4b6963ba47b251fa9e5f2089a5c215e5d1778562998ff05969ca421512ecda0aed0c6b425d150b9f895808c7561763f04aa30a573b6ec7010

    • C:\Users\Admin\AppData\Local\Temp\redirects\chocolatey.exe

      Filesize

      166KB

      MD5

      5af52e83386c82a63536f4015eea27fb

      SHA1

      b160b7d8654282f7231641b2b511ae1dccc15698

      SHA256

      21ef9ee0595e8ddcd7d69bf79002b1ca04be60277a2e91c8dfb8272dffb327cf

      SHA512

      52d98979982edaaadcf078632d0cec6da585dc1e6cf9d9e75594e0c98cb99d0d638b496ddc5c4c8abf3d47000758da0a6fe74e51c2ce6634ead820b8971d6e0f

    • C:\Users\Admin\AppData\Local\Temp\redirects\cinst.exe

      Filesize

      166KB

      MD5

      9c57de2b95339834ff959dbafe8acbfd

      SHA1

      2bae31eedbfb862eda3e0c051f14bef41efa8974

      SHA256

      0cc6cd8d875e4955a4c7e5a14a75ed29620910bc90a7ccc68920bd71d32859db

      SHA512

      5deb6ba906efd1db417db1f165f93b0bd4e968900d084b069fed173d855c51177bce1f83fa6c4e8b2c7205517d6ef508fe3063e22bc200de5ddadf482082d643

    • C:\Users\Admin\AppData\Local\Temp\redirects\clist.exe

      Filesize

      166KB

      MD5

      ecc99433f78693bc1f3d00eb9e3ad5a1

      SHA1

      6ee702765220d805b844b49fea99059a368c4935

      SHA256

      29b21c4872dd9dacde93a39441959889c6a367a5c84bca598851162e8f998c48

      SHA512

      c3436592e897d842a0fe5274bcb327483a9b2801d71fb1fe07b8d68a02e684c16db3dffa7d8fcd458087520418888aad74413643cb6cc1ae198a7f7ce15df70d

    • C:\Users\Admin\AppData\Local\Temp\redirects\cpack.exe

      Filesize

      166KB

      MD5

      b39ce207bda2c90673b117760317b3e7

      SHA1

      182bd9b614d9e5003d219ddbd46727cb57a4e990

      SHA256

      58c70053203dc94f045fdd8b53fceb60da9bfc32ff56b1c6ed61833994bb1e90

      SHA512

      25bad2614e71ed99116f554f6ef667dcc95a9d83ed7810132e3b2672bee7f51ee27d50fe0a67c52d26197a85bbe8dad699dbe608e09f032533d303be4feeb405

    • C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe

      Filesize

      166KB

      MD5

      93efaad020ebe4f5994afb9a6e454adb

      SHA1

      8b85c1d8e32771f12f09ba9e930f5894bed593c4

      SHA256

      71d7948a42d68eaa2c0f2db15bcfb3ee86f41ee794969c45ea4b63f1e87a9a35

      SHA512

      cb951054d63a330de2f2fefd0b27cec9a786b224cc18e2d3be0ca0a1d48bc77431043da032e5b61931c3111db5b46e583881f938855d332a73e32645b4c22d48

    • C:\Users\Admin\AppData\Local\Temp\redirects\cuninst.exe

      Filesize

      166KB

      MD5

      44f5c164b976a1b8dc37b9afceca627b

      SHA1

      1f94dceb0b05cd9069d929cbecf5054c5775b80e

      SHA256

      8fd9902a1e1bad8d1a4e9ced5386768dd2f04257d99b73f3e5cc575783ad644a

      SHA512

      bcf335b85f1216b0f5c22c7f8a65b78ca284312787377360d42f946833e6cc79a23447acfbef06060c88dfcf742b6c52cf5ab5f97f0d509fd0b8cfc979dcf8ed

    • C:\Users\Admin\AppData\Local\Temp\redirects\cup.exe

      Filesize

      166KB

      MD5

      0ec3809dea6547547acb9104a692921a

      SHA1

      5edb48b5c045df9ddd8acbdbd5194e5b0b3f62f4

      SHA256

      0350a99b7c85cd21e22cbc990b4a2db8d27dd24bb100ddfe096000e6a5bc3954

      SHA512

      2f514dedc832b59a36d7cbab8c65015a426d9ba9fbd4de10a5071fad145241b22d5a81d4fa65c36030fc701e989a97abf310b70fc86eacd47494a9b638035539

    • C:\Users\Admin\AppData\Local\Temp\redirects\cver.exe

      Filesize

      166KB

      MD5

      d242c8f1f34adc4e2a18d7664b980044

      SHA1

      e4580cff26ed508f5abdb3f1a67470ba647554ae

      SHA256

      a61ab0eb1680fead55a37630d822c6d4e25a53437fcf2d4521f52852f5db7ecd

      SHA512

      bb257601f49c81f9cf3a29776fdbed0bb6b468c12e568a1abeb462e7d467fc5194b56425fa48c7ef242979190ae5bb58bae25971ed7b82df479d6f9378b7012f

    • C:\Users\Admin\AppData\Local\Temp\tools\7z.exe

      Filesize

      317KB

      MD5

      e21f5dd05257ece5fb64430b77cfa5c9

      SHA1

      3bac7f4dbc6e5bd4531d0f48aa6fc878311c5608

      SHA256

      d293bdd8180921bfb31cb8afe91d7339acb3cee4c406df6c56c87f9460932b44

      SHA512

      82588d57617eff7f8419b8830dd332afe0aaf9b284e6dee1aed05c8c3a79dc73fa031670fb14a0b81ec27cdb59b97d2aa41e3edd05b7f00f8eab0c4a11cbebef

    • C:\Users\Admin\AppData\Local\Temp\tools\checksum.exe

      Filesize

      61KB

      MD5

      3f7b9b16fe7c0c3130ddd546c3f82c75

      SHA1

      d6ac383d6dcabaed425096bdcb94b4e59641f9ec

      SHA256

      1f865c638c4da788a5d517a0a11727338f58cbe5d57d6b822f5bd06415cb8b9f

      SHA512

      d2842c34b74a56345c90ab6797d25d793d72b3987022a6e405b62bba15f11653735d521270f1512fd63257281594874e028d3a6adc03ed0632a495b217b0782e

    • C:\Users\Admin\AppData\Local\Temp\tools\shimgen.exe

      Filesize

      228KB

      MD5

      16996e59468c0b980e9e71e1dfde5edf

      SHA1

      a9217ebff1cc074753499184f9b9a5abc97f89f7

      SHA256

      56833a73e78aac21aa3b88724564a6fc0e4b348014b162865e1f4f82aac1833d

      SHA512

      f876552307b7c167b6104c3cefe6fe07522e0fd91caacb8014fc4efc2be06399363bdd21a3660c633dc93849d1e453b8c22b45613ec9d7670d7b8aee058b1bd9

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      4b59d42c30960693269448e00b2ffca6

      SHA1

      cd5f11fe1cfa26eef8d7b9e90ae2346b0d8cf562

      SHA256

      6a1d9701474cb7644e120689be4c71fe45f978be0c2934ff91481124c1f14363

      SHA512

      07fb18f632389983cc70432e59a247d94325da55f793c04db33d078c1d199628da9ccf45488610b3db25ca8c54f161630c7bb478e0a286babf42e168217a8ca1

    • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\_desktop.ini

      Filesize

      10B

      MD5

      28a582403dbb209b6c5cb7bada9c918d

      SHA1

      db58560be63032a4cbd738d2d639e5bf764d6277

      SHA256

      b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200

      SHA512

      511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

    • memory/1336-9-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1336-9009-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1336-132-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1336-2594-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2528-16-0x0000000000AC0000-0x0000000001134000-memory.dmp

      Filesize

      6.5MB

    • memory/2528-15-0x00007FF94B4D3000-0x00007FF94B4D5000-memory.dmp

      Filesize

      8KB

    • memory/2528-130-0x00007FF94B4D0000-0x00007FF94BF91000-memory.dmp

      Filesize

      10.8MB

    • memory/2528-25-0x000000001BBE0000-0x000000001BBFE000-memory.dmp

      Filesize

      120KB

    • memory/2528-24-0x000000001BE90000-0x000000001BF06000-memory.dmp

      Filesize

      472KB

    • memory/2528-17-0x00007FF94B4D0000-0x00007FF94BF91000-memory.dmp

      Filesize

      10.8MB

    • memory/2528-23-0x000000001BDC0000-0x000000001BE10000-memory.dmp

      Filesize

      320KB

    • memory/3968-10-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/3968-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB