Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:20

General

  • Target

    f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe

  • Size

    478KB

  • MD5

    28959031896021bc7ca9f579de2cc456

  • SHA1

    3577f294e56af20384c17c2e6b30043d3fb467ce

  • SHA256

    f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec

  • SHA512

    8ccc791701cbf875cff76feb50e78391fdc4375e0bd78c59111a657059e2f4c8c91b8603755bd5cfc1feb1abcc98b3eda6e3f810de8e8d60eb35090eecb21020

  • SSDEEP

    12288:CX1m0iZc0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVzy:o1mfMYenGJiKEbXWtfOkUy

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
        "C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2180
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3CF1.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
            "C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
              "C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe" -burn.unelevated BurnPipe.{867ADDB3-92A1-4389-9562-99DA3A07396D} {A5907949-362F-43AA-9C83-109F92F26009} 2656
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              PID:2752
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2680
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      258KB

      MD5

      dd5f511ac42d9719d30a69ad45d2efd4

      SHA1

      6a74d19c5f70b2950a01f54d6526ed1e1db4dd42

      SHA256

      b209a195049e7e6704c77e5856589ab1a257bb70f6457099a5a39cd9531d81bb

      SHA512

      f1aae77e9af1cccdd44936477504d7d1e92a093b9755d555eaa1510f66e5ed4e96b25c7a8b6f2cb79bd39537d1aae368d6af0176be563885ef61d4e7d752ffaa

    • C:\Users\Admin\AppData\Local\Temp\$$a3CF1.bat

      Filesize

      722B

      MD5

      c862d0940f612bd83874e5bfc6dead17

      SHA1

      ce556fd27b35bc6a5f9a9df7b5bae434f823b9a7

      SHA256

      5eae0d6cf0a4b102a18caede39fd279dd4d2ccb9087b35a5a20f9e9fd56d263b

      SHA512

      27f2289791e82c139b0e39e1744c4f5b38a0d1e7f97ce7eef8f66b8aa6880f2a7fd79f7e7ab0831501a36f5b11524700f09cd5ad82ccf542f8c4c05e17245650

    • C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe.exe

      Filesize

      444KB

      MD5

      2b48f69517044d82e1ee675b1690c08b

      SHA1

      83ca22c8a8e9355d2b184c516e58b5400d8343e0

      SHA256

      507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

      SHA512

      97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

    • C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\logo.png

      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      dd7de04b7104a93e35fb3a577b5b621b

      SHA1

      4d84ff8b82f359e1c303d9d68dda6dc503848ad6

      SHA256

      fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03

      SHA512

      569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921

    • F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini

      Filesize

      10B

      MD5

      28a582403dbb209b6c5cb7bada9c918d

      SHA1

      db58560be63032a4cbd738d2d639e5bf764d6277

      SHA256

      b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200

      SHA512

      511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

    • \Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll

      Filesize

      126KB

      MD5

      d7bf29763354eda154aad637017b5483

      SHA1

      dfa7d296bfeecde738ef4708aaabfebec6bc1e48

      SHA256

      7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

      SHA512

      1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

    • memory/1188-46-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

      Filesize

      4KB

    • memory/2776-19-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2776-15-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

    • memory/2776-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2776-17-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

    • memory/2960-49-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2960-1191-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2960-3611-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2960-4113-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB