Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:22

General

  • Target

    ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe

  • Size

    488KB

  • MD5

    de4f99d33c3138d156d2227d1b33c300

  • SHA1

    539dffd0a2747a2476194ea4622ce811b777d2c9

  • SHA256

    ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e

  • SHA512

    4db6e5810373d94603df13bbac362ef5e0d76a5b5400aac1d3d132706058fd69b58b5423ecfd811efe2f925d91fdf137b5a009b6d22a0a8d5fbcf9e300d3b7e0

  • SSDEEP

    12288:CX1m03qIOkU8AMXE9B7PElZlP41N+4PUWfo:o1meBOkUhMXcBwc04nA

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3532
      • C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
        "C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1552
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
            "C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5000
            • C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
              "C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe" -burn.unelevated BurnPipe.{A82C33E8-B55A-445F-BE64-7127AEE3C92E} {DDE9AE8A-290E-4F4C-B2B7-81CEBCD9B74B} 5000
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:404
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4832
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2948
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      251KB

      MD5

      10a7fff2e496850370cd3b3ee33cada0

      SHA1

      2fbeb0236ab8937b7aa472cae8b3720802e9c764

      SHA256

      3114db136b324064263065317536490601c26e731d3558a7caf6cc7507db4d97

      SHA512

      d714185364cce8be63ecaa6ba4abdd3da5ded059a2df252f9d26e2440cbbcecfc96e0944a84ea3201b0d8b1afa57154053dc814995dbea36bd06dfbfe629ef58

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      577KB

      MD5

      c271a86be0a29d90a35fe31a5c49272e

      SHA1

      40ce9f85f7a6dda6fe54d36a86a46d131bc120dc

      SHA256

      6865992bfc8198f5af017209cc289eb9d2adee1e4aede750f881fb5cf307523a

      SHA512

      e32d6246ec9c00d8bb8a14793f30b22983f1c03ea418c241bf4c8e22c9992334fe0ab3715b64e3d43d44b9a6cba86e4d75c2ff55d8ff2201fcb1329510b762ae

    • C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat

      Filesize

      722B

      MD5

      837261d9f78481633c5764da0233d2f5

      SHA1

      2c40a36213c3deb56a20cd40a2361fa81ccf052b

      SHA256

      8bc469cce08c7b84b57e5256ba8320dfa749cf02d6de639ac26b4d8df07a1f74

      SHA512

      00487d02e82a5c0b126361808016a6adbe8054ee2d5b7e7d852e809f93bd59fe9bac930b853a6fc663267791c21d211661fa3bfbe121a684ce5be079bfdb836b

    • C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe.exe

      Filesize

      455KB

      MD5

      6503c081f51457300e9bdef49253b867

      SHA1

      9313190893fdb4b732a5890845bd2337ea05366e

      SHA256

      5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

      SHA512

      4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

    • C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\logo.png

      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    • C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\wixstdba.dll

      Filesize

      117KB

      MD5

      a52e5220efb60813b31a82d101a97dcb

      SHA1

      56e16e4df0944cb07e73a01301886644f062d79b

      SHA256

      e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

      SHA512

      d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      dd7de04b7104a93e35fb3a577b5b621b

      SHA1

      4d84ff8b82f359e1c303d9d68dda6dc503848ad6

      SHA256

      fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03

      SHA512

      569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921

    • F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\_desktop.ini

      Filesize

      10B

      MD5

      28a582403dbb209b6c5cb7bada9c918d

      SHA1

      db58560be63032a4cbd738d2d639e5bf764d6277

      SHA256

      b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200

      SHA512

      511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

    • memory/924-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/924-10-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4444-36-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4444-3564-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4444-8-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/4444-8748-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB