Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 00:03

General

  • Target

    74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe

  • Size

    563KB

  • MD5

    86bb6b739bb4d22e1810d41cbfe6a29e

  • SHA1

    6b9bd695ad29d47ccf580982561586c3a4856ddf

  • SHA256

    74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e

  • SHA512

    cc78b82d7a7f5c1bc7168262276ea0a419dba339b47e34ebc60bec87298d993b84f982f41104ed86fa0a030783c06aaf953fb768498b410974aa78090f14e165

  • SSDEEP

    12288:V3N2rc9iJafmm2VYK+UNo0RweQfoAxHv9sN4A4H9J618UtQ43iUa:V3N2hVm2VZQwy9E1Vf3M

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe
        "C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3980
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FAB.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe
            "C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe"
            4⤵
            • Executes dropped EXE
            PID:5036
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4772
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:800
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4208
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3468

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

            Filesize

            251KB

            MD5

            ddb3a9b2405bde6d9ccd9427ce18bff6

            SHA1

            0c8f903ff0b064e31b90da6b59a9f6033769b9c9

            SHA256

            cf2064a9b73904274cd1c61c0f824d090a5cbd9a5780a35a6a0a80012d3cb73c

            SHA512

            93c797e1ea8760bcc082f40619ccdf789ea26618570aa47f2870509708a338462dfcdd874d6c3429c8c14220b3189c9edb66bdf20adea614604a751dce2e86a6

          • C:\Program Files\7-Zip\7z.exe

            Filesize

            577KB

            MD5

            92efd4b0d561608653e3186a7d3bc8c7

            SHA1

            a048a43bb3732df81a895efbbea2e2cfc27c7f9a

            SHA256

            47a58862f537d2e681127a0b3bd2945b09266343c3ddb548c5fa8edfbd130405

            SHA512

            4d315bd6f23e10bfc5743df12c0f39c572489f70da2cae40af27e34cb3188766ecf396d82378672658757563d76b31599a3f44907243ea58ffe2a8a1e73e1d62

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

            Filesize

            644KB

            MD5

            805ba9e4bcfdde2cd41c62cdfa500003

            SHA1

            561ac3c3eea04a2823e08fa73ef4856b2113c164

            SHA256

            ded84e71610908af1b33c0ef1e6b08fd1c84411eb3f7c704267fdf91d0dbe128

            SHA512

            d84c52b4d586632bde823dd0ee73afa0e6cbabca47ed60d2690c7be1befc693b62b5ca5c1e16a57d719cd64d948160870c844c6c8805789a3ce34c1ee3f0c4ab

          • C:\Users\Admin\AppData\Local\Temp\$$a9FAB.bat

            Filesize

            722B

            MD5

            7f7917bd7f50cec7a12a4c62b5b55d6f

            SHA1

            90a37965644768e7f66950a079b2c6e738495aa4

            SHA256

            f1f02e55b476c0e7771020bfb2d172ba5fd7ea0e24ca3f41cc01d63beffeae1c

            SHA512

            6f5bcde71196bb779a7ffa99ae84b4522a94d0d879f8b1d4d3e55bbff263c4b4f9259744b242a0c0c71960d762626b28716b85dc228e6d480fac332e33ce4fee

          • C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe.exe

            Filesize

            529KB

            MD5

            cca0c5482b8a6a275d9d49433f435dfa

            SHA1

            a72ae8621386e13c34055f612ae7612b8a18a39e

            SHA256

            6ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365

            SHA512

            b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            3dad059e7aec47d7f38f17c930a767d0

            SHA1

            e3d77ab88d5e22af5fd87ae4c9a42c4722197dee

            SHA256

            4303680f3967f272c366da0600b22488a03de4e09f605b8e77ee0b0ba0836ecb

            SHA512

            2a6e399ed54c132c692dc89ead3f330990d9f88ed5afb73fe1b9e5906f30b46d9edf8b34eacd690dafcf1fa380aad934c72fa011f3a3bbd8f1c409d424345a02

          • C:\Windows\system32\drivers\etc\hosts

            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

          • F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\_desktop.ini

            Filesize

            9B

            MD5

            577b020fd4f1c33364f7dc1b6a15b5e0

            SHA1

            0a39afa020279d2ae46b302efe9dfd550e822709

            SHA256

            e22c9759bcf5bc35063c6c048e109883f070723446b9ed5d16e70c48ca526bb9

            SHA512

            c7b8e4478ddc648c13acd21b16fa7397fad334d7710e3d91f4069fcd7d5a4f3d8c542c46eb3843c4dbc8d862bf03a50d1ad641e725f53382a73a9ac4ec035f48

          • memory/1376-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/1376-12-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/5080-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/5080-9-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/5080-3284-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/5080-8868-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB