Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:16

General

  • Target

    6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe

  • Size

    11.1MB

  • MD5

    03e0d68de934dd404d7c5f764e383c3e

  • SHA1

    49f2234a66d178a2c11bee3bd4170458220127c5

  • SHA256

    6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790

  • SHA512

    dcb61014a102cb71fdec807303b80fe05b3df791cc34689470d7c1d8e0a59851b64373920de64118b9e3e32ad411419e6523b2485a15668e218a667e8a146235

  • SSDEEP

    98304:Mdfb+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:MJ+kIGv3y/x+KTbfjJ+kdnAlejY

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3392
      • C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe
        "C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4360
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77FF.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1564
          • C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe
            "C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4700
            • C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe
              "C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe" --type=collab-renderer --proc=4700
              5⤵
              • Executes dropped EXE
              PID:3236
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4864
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1736
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2344

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

            Filesize

            251KB

            MD5

            d1c85aed7ccbf5c8b6b82a6039973bcb

            SHA1

            8172aa11225d987b394c5a9668866948d6743e51

            SHA256

            3d6fd770ff32c36c96c617e34adac45614b12daae11da48246c216a5b1d2bef8

            SHA512

            4589b2cc748305a2c28eeaf913c603068af524b61265f52c6b5c1369129f322c8d9f514b6292cff6bc368515d71cafaf644ab360d74a672b205e106b77fa8c19

          • C:\Program Files\7-Zip\7z.exe

            Filesize

            577KB

            MD5

            3c8d51cfb63666d0a80fb0722b89754a

            SHA1

            588f67f35d30a79e7b809302882a32ab4cf6a943

            SHA256

            c1ae61c35f0286c94dd114441b63eb82fdfd7d322ef46aab92eb73902b17c283

            SHA512

            3c9a60d536c4a9e6b1db3f01167bfdca11d2a5238c1e177578acf4b5b07bb92ad0a15ece46bc7040dbe2a34709777b5a8e4e74fefa24739a8e1df4e243b08f8e

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

            Filesize

            644KB

            MD5

            805ba9e4bcfdde2cd41c62cdfa500003

            SHA1

            561ac3c3eea04a2823e08fa73ef4856b2113c164

            SHA256

            ded84e71610908af1b33c0ef1e6b08fd1c84411eb3f7c704267fdf91d0dbe128

            SHA512

            d84c52b4d586632bde823dd0ee73afa0e6cbabca47ed60d2690c7be1befc693b62b5ca5c1e16a57d719cd64d948160870c844c6c8805789a3ce34c1ee3f0c4ab

          • C:\Users\Admin\AppData\Local\Temp\$$a77FF.bat

            Filesize

            722B

            MD5

            3e56fca475ed310ec9ebe6ca928c3d7e

            SHA1

            e150c60d3229c75cf14f099a10b8b4fb26140f5a

            SHA256

            d69f7da8e8e6e0c9f265960bb94a561979eba0458153178686ff7d150e10c204

            SHA512

            77a23b1185159bad09f9c4878d893a9e0f34bdedebbb855fbda967e691f53aeb95859a47922f43f4d96c88e3f4580aaeac552c65c5bec1440a87638a14208a2b

          • C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe.exe

            Filesize

            11.0MB

            MD5

            b45b7bd6eb92c5b65378d8d0a0964747

            SHA1

            5ca6f198ac83c90496110259b57ff4a5f47b64bb

            SHA256

            5f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0

            SHA512

            bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            dfc4e131e84f5b4aa301491d0d5c735f

            SHA1

            f4efee0061dee53da9d73f70648ae8ad2eeb6473

            SHA256

            f9508caee8e59955142464761783f89d580b4ac080f2d8256d6bf547e1958ba9

            SHA512

            62652d0c21a71e52777c3e929013f838e0907a21259e2947bf46e698fb90597309cdbce5f1c656022e98bf14588386d1c9c5559658392e29c1da2b86ba0221c0

          • C:\Windows\system32\drivers\etc\hosts

            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

          • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\_desktop.ini

            Filesize

            9B

            MD5

            577b020fd4f1c33364f7dc1b6a15b5e0

            SHA1

            0a39afa020279d2ae46b302efe9dfd550e822709

            SHA256

            e22c9759bcf5bc35063c6c048e109883f070723446b9ed5d16e70c48ca526bb9

            SHA512

            c7b8e4478ddc648c13acd21b16fa7397fad334d7710e3d91f4069fcd7d5a4f3d8c542c46eb3843c4dbc8d862bf03a50d1ad641e725f53382a73a9ac4ec035f48

          • memory/2940-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/2940-9-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/2940-2626-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/2940-8768-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/4360-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

          • memory/4360-10-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB