Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 13:18

General

  • Target

    1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf.exe

  • Size

    33KB

  • MD5

    acea89f403bcb47ee1d946bcda6fd439

  • SHA1

    a919c58021cec518e83830e534b687c2063fdba3

  • SHA256

    1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf

  • SHA512

    eb629979a847d4107088dc15c1fe0ca34b87f76de8e30bc4b2ec167604fc200fe78d235e1a3f940861428f3c8d325fb1dc82ed424238dac8f2b8cb7ed33ca6e1

  • SSDEEP

    384:CbbBSGIAF+GPO5RQ0JvoNcAJAS6X4S39AaxIINU716CYlC5nQLiX/zrnFOlVCFlI:mxt5PO5RroZJ767395uINUh5dIInc

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1152
      • C:\Users\Admin\AppData\Local\Temp\1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf.exe
        "C:\Users\Admin\AppData\Local\Temp\1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1716
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2284

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

            Filesize

            258KB

            MD5

            1e9f97cc35138767ad33d8ecf8e68cd9

            SHA1

            2f996e70426b1226f60833376fdc80fcca241ebd

            SHA256

            4f8f440f83f1f52240316cef94af0b3421dc5bcf1412185c8033ae25445fc8dd

            SHA512

            12ef3b98f6c57a8141fb4cb84280bab5038628d798740be3c6a0defaaa37d74ef7f270bc648dd0dabb64ea7489f8dfc45809b0a2e0314cf08dfaef96525aaebe

          • C:\Program Files\7-Zip\7zG.exe

            Filesize

            717KB

            MD5

            528b5bba23da4783b42cafad5e1c60d7

            SHA1

            b64e96efb00977bd1d8a0c949046b32ae23856eb

            SHA256

            cad496a930baf44dad0eb8b0e9c34f8fccf2410984bca5955aba7c66c15a0f04

            SHA512

            922b56cd83e867faa8e47d48d7c903c6af4de470538f2eaa49620124fb24ec59dd2c57ff32abd93152ed3462534b5296bb6f75e6721241695510fb8b2cd33b52

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

            Filesize

            478KB

            MD5

            88ebffeda5f485117bea8ed1af2bc7a2

            SHA1

            ffe087732bb54277e9e3d34fdce899d667bb90bd

            SHA256

            3d884ccebaba6949715611435af8a26d9c343650d0914383b0405bb0d2685b9b

            SHA512

            2f786abb377cfac242e2e58214e465c8146cb02f58e3bbedfe25d8f641e001a7e043ce0d176a6bbb77aaea8f791287ba0e37467032652e1116ad35e4f9137870

          • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini

            Filesize

            9B

            MD5

            f7d2b8208aeaba3c31668cdcaae5c0d7

            SHA1

            dbf13d797480dc1a10de2a6164557103660e81c9

            SHA256

            70e7188042cdd89d0c810f2efbce72a86afd08d50aaa4b527f96a802a1e139b9

            SHA512

            972ff3f39a2693026bb2b8baacb54564b9ceb80e9073ed338ec80d413a7cd6b126969068f44f196b93864ea82e6dbeada0ffc94c65754b7bba82469386161c40

          • memory/1152-3-0x0000000002F90000-0x0000000002F91000-memory.dmp

            Filesize

            4KB

          • memory/2420-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2420-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2420-2977-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2420-4169-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB