Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 08:24

General

  • Target

    167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe

  • Size

    583KB

  • MD5

    9a107d347610b8a0c9aaf492ed6a5e8d

  • SHA1

    26e6dc683a9a4a00a6adf3601a11e5a679ab8b29

  • SHA256

    167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5

  • SHA512

    ca09f3c4b15e74b678cf6e199f55c6d462e15495226fa915031ee5e36f212d8e1a0814d4841ced27bd06f3de3dbf60c1b809086b4cea5b8bf2692b8de0fe148d

  • SSDEEP

    12288:x+azbvt7a3iwbihym2g7XO3LWUQfh4Co:xBzbA+gkE2fh4Co

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe
        "C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD375.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe
            "C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe"
            4⤵
            • Executes dropped EXE
            PID:2888
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2808
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      484KB

      MD5

      41d5bd106a62b9a38b1c76df058c795d

      SHA1

      f4d66b06c910103c30e24010f380d2d98bd49cab

      SHA256

      a3d71d07d47ca777c1976260894fa8f618a7dc9e5626150b578dd01f722d522f

      SHA512

      46326985ebc5f47fe1542b04b5d78ef58b9fbf3ae7e8f08346b26dbc767eef6a46cebb5d27acc08cb7ce280e814e31032168566d2c2c75f0e0a54745ab976f22

    • C:\Users\Admin\AppData\Local\Temp\$$aD375.bat

      Filesize

      722B

      MD5

      731d347e32d7aecd4742c7e8830848e1

      SHA1

      99c9a5f5a36c12c4588570eb324212770dfd6b4d

      SHA256

      b3dc7b7ad0158956e46557e51f61d1b73e1d7169da16289ff2202722e05fc07c

      SHA512

      9f36eeda0f8f8d54742e6f15dce01ee1fe8c6adbc44c8b18018381661c2be3d3ecd2cfe5016b93be1c3820a9f4eed724124a660076b6aeb62a525ed4daf06dff

    • C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe.exe

      Filesize

      544KB

      MD5

      9a1dd1d96481d61934dcc2d568971d06

      SHA1

      f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

      SHA256

      8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

      SHA512

      7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

    • C:\Windows\Logo1_.exe

      Filesize

      39KB

      MD5

      a71bfcd1ef96edb3cc326e1b76824622

      SHA1

      387956a928cafd3b7bf815274ac9ddfb01e59562

      SHA256

      0cd414bed04b78dd4100d3bdddc3fa140a3558caf58072d00359f3e88760c370

      SHA512

      3add11586e4795a4c92b18fc12e0639beef6f2b60f7c5db7276c94f88f2aab7a9c4ad0ad2b60b48646eabc9a5a6cd3607c539223fc210201da7963caa5b7dc92

    • F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini

      Filesize

      10B

      MD5

      688d58fa5756a393f9472937ef284c25

      SHA1

      18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

      SHA256

      e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

      SHA512

      c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

    • memory/1272-28-0x00000000029E0000-0x00000000029E1000-memory.dmp

      Filesize

      4KB

    • memory/2168-4130-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2168-20-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2168-1476-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2168-32-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2188-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2188-16-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

    • memory/2188-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2188-12-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB