Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 13:18

General

  • Target

    1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf.exe

  • Size

    33KB

  • MD5

    acea89f403bcb47ee1d946bcda6fd439

  • SHA1

    a919c58021cec518e83830e534b687c2063fdba3

  • SHA256

    1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf

  • SHA512

    eb629979a847d4107088dc15c1fe0ca34b87f76de8e30bc4b2ec167604fc200fe78d235e1a3f940861428f3c8d325fb1dc82ed424238dac8f2b8cb7ed33ca6e1

  • SSDEEP

    384:CbbBSGIAF+GPO5RQ0JvoNcAJAS6X4S39AaxIINU716CYlC5nQLiX/zrnFOlVCFlI:mxt5PO5RroZJ767395uINUh5dIInc

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3540
      • C:\Users\Admin\AppData\Local\Temp\1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf.exe
        "C:\Users\Admin\AppData\Local\Temp\1f3f520cdd0b0fc15008c4087b9128e9f9be3f8a0825ca90b45a5a63fdbb85bf.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1088
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3712

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

            Filesize

            250KB

            MD5

            d8445e3c33aa7cf4e7dad5ee2d82ff97

            SHA1

            31cd4be9005d330070f0a785b3be7bbca41b5633

            SHA256

            b2c68dcdf45647714381979b098770f8438770d2570546cca189542842b879b0

            SHA512

            b6a14b6f41865dc0e35f07319061304981e6245709ed9cd9b02e57e149c2b1fc78d98f18d6daeb1219e935fba76891a8f8d657a1b460e7751678492531114cde

          • C:\Program Files\dotnet\dotnet.exe

            Filesize

            176KB

            MD5

            4555fe35ce759bcd003af1e51f2e4f6f

            SHA1

            b10547096d62f3a4a9035712fc65f4afbba190d6

            SHA256

            efc665c01345ec8f06cedaf78e0c2d07bdec3b3beaf3e84b7825dea453169923

            SHA512

            620783191a9b7869e7fe113636d876f0a06100001790beb26245a73150d2a79523e287959d920e214c483dd086b88c3c96b73c8fa31778ed54532691d1029211

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

            Filesize

            643KB

            MD5

            bc39de0e7ce4a364aef222509a15c2c0

            SHA1

            149133051e80a25bfa8bbcf5b504da0895d2d315

            SHA256

            c56d31fac01d70b70dffefabef3b181525386687002dd3432931bcf8454ad7f9

            SHA512

            0e0bb42ede861f28b3886001bff0172cf3f985bb38bd13145c356d7c8d7ae0597dda87ddf7e44c159e18cabd514dfbca84ccbc9bc704aabaf978b899eaec1c46

          • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\_desktop.ini

            Filesize

            9B

            MD5

            f7d2b8208aeaba3c31668cdcaae5c0d7

            SHA1

            dbf13d797480dc1a10de2a6164557103660e81c9

            SHA256

            70e7188042cdd89d0c810f2efbce72a86afd08d50aaa4b527f96a802a1e139b9

            SHA512

            972ff3f39a2693026bb2b8baacb54564b9ceb80e9073ed338ec80d413a7cd6b126969068f44f196b93864ea82e6dbeada0ffc94c65754b7bba82469386161c40

          • memory/3552-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/3552-3-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/3552-2845-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/3552-8794-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB