Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2025, 17:33

General

  • Target

    1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe

  • Size

    318KB

  • MD5

    cba550c8ff235b71afcfe490ef68cdd5

  • SHA1

    37616bdd92ff147827b7ef63b1b81554d0024cf2

  • SHA256

    1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48

  • SHA512

    eddd58d85b713d144277a4bde64a75d18beb8f4fdf3a3ebbf97c921b7e40fa0b9bb7591fa010c139c0abd9504c04f286ccbf1b6545b676041c542634d0d11ef4

  • SSDEEP

    6144:jsnqXaAoNOcG20bWiT6yj7FzhQXJgzBU4GfjTac:jUYymh7vagS

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe
        "C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5220
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9AF8.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:6116
          • C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe
            "C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe"
            4⤵
            • Executes dropped EXE
            PID:3112
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:6064
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:220

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

            Filesize

            6.1MB

            MD5

            05b4b7bcd0859ab0daf63bce8b6cc80b

            SHA1

            682dc1d9d987adc05f6b76c263f37287c4ee0ffe

            SHA256

            4f863f97242c8c94fe69cd4db3d123233f0163346a0b7a58670d624e8f323cd3

            SHA512

            33949cc2089d6f91dc96f672d6a615d4faf94ee64429c48bd2a788350b79be0efe46bb05f5cf0d8431f031eb21ff278646c92b12a9ae5cd7158c0f000fda3ecd

          • C:\Users\Admin\AppData\Local\Temp\$$a9AF8.bat

            Filesize

            722B

            MD5

            d53a666c056f7b8863222853dc88506d

            SHA1

            52eedb89024db0482fcde4f6d31ef8ad64ec62d4

            SHA256

            9ba0fc1f4d000cb807fe3061cf683b780699f20812703774baa793d6212b0768

            SHA512

            a12ec54aadb91e6c40f66458e7e1cc5dcb8c0b64a7b37685e4719736106915e2de51b59f35b2ef0584eebb11527cd201bb3dbfb56e98d77f1380ff5dc7ce9585

          • C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe.exe

            Filesize

            287KB

            MD5

            a6530124d658f032e528cbb8c87189a4

            SHA1

            6b326371e0e2b58d38657685eb02ffaa7976e9d3

            SHA256

            4c51a0a8ab7af7512ae82344aca1b31f8b261b5fde799bc49963824d107c13ab

            SHA512

            a7edc7da4c750f13d8c8a42381f312dba053672bfe505f523a1aec18aabf2357036f64d6fd183bda6cc6563e9ad15ebb5d41114b687cb0760d5ab4f61507e4fb

          • C:\Windows\Logo1_.exe

            Filesize

            31KB

            MD5

            ce1f722d56cca54a9b8a771d062bcb15

            SHA1

            0fc2316c20e08befd7f838607d2fb23d7895239d

            SHA256

            a94cf29461d0df4d531e8bb96728134e8fb568a28016f59a33a82775e8f8320f

            SHA512

            39e20028c4bd471ac131a43108a4a9793bd97a092b845e2125fb3acd9d3471430d69ca68382845fec2c8e6ef52f70b4f02e9b66bb8028eb4e51d56eabad8c18f

          • F:\$RECYCLE.BIN\S-1-5-21-4144907350-1836498122-2806216936-1000\_desktop.ini

            Filesize

            9B

            MD5

            8d5d367ed8a2afc1fc0b8fc7d14da98c

            SHA1

            fddfad39cd8b448d0d3dbb6e9c67752999568783

            SHA256

            93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6

            SHA512

            3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

          • memory/5220-0-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/5220-11-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/6064-8-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/6064-2966-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/6064-2956-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/6064-9755-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB