Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/06/2025, 17:33

General

  • Target

    1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe

  • Size

    318KB

  • MD5

    cba550c8ff235b71afcfe490ef68cdd5

  • SHA1

    37616bdd92ff147827b7ef63b1b81554d0024cf2

  • SHA256

    1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48

  • SHA512

    eddd58d85b713d144277a4bde64a75d18beb8f4fdf3a3ebbf97c921b7e40fa0b9bb7591fa010c139c0abd9504c04f286ccbf1b6545b676041c542634d0d11ef4

  • SSDEEP

    6144:jsnqXaAoNOcG20bWiT6yj7FzhQXJgzBU4GfjTac:jUYymh7vagS

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3288
      • C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe
        "C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA4AC.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3912
          • C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe
            "C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe"
            4⤵
            • Executes dropped EXE
            PID:892
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1104

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

            Filesize

            6.1MB

            MD5

            05b4b7bcd0859ab0daf63bce8b6cc80b

            SHA1

            682dc1d9d987adc05f6b76c263f37287c4ee0ffe

            SHA256

            4f863f97242c8c94fe69cd4db3d123233f0163346a0b7a58670d624e8f323cd3

            SHA512

            33949cc2089d6f91dc96f672d6a615d4faf94ee64429c48bd2a788350b79be0efe46bb05f5cf0d8431f031eb21ff278646c92b12a9ae5cd7158c0f000fda3ecd

          • C:\Users\Admin\AppData\Local\Temp\$$aA4AC.bat

            Filesize

            722B

            MD5

            bae146c84590c13126164f868dea7c53

            SHA1

            a353189929ee2e9097c7fa197732ad92a7f4a66d

            SHA256

            21d8d324e7474c92d6dd0b31ad7891cd6811b0c284cd1ca0b823fc51456a8be6

            SHA512

            fbd132f963433cf4ce2089c6989fff819be1ec9bbda1ddcca8cf25405682b6e96a52312d9c6df295aae6534cc3847df616ca4646801e70ec472683461034af8a

          • C:\Users\Admin\AppData\Local\Temp\1d2dc0061315396e433e4ef0671c374a42cacce1d63f9fdd8a1c340e7a1c5b48.exe.exe

            Filesize

            287KB

            MD5

            a6530124d658f032e528cbb8c87189a4

            SHA1

            6b326371e0e2b58d38657685eb02ffaa7976e9d3

            SHA256

            4c51a0a8ab7af7512ae82344aca1b31f8b261b5fde799bc49963824d107c13ab

            SHA512

            a7edc7da4c750f13d8c8a42381f312dba053672bfe505f523a1aec18aabf2357036f64d6fd183bda6cc6563e9ad15ebb5d41114b687cb0760d5ab4f61507e4fb

          • C:\Windows\Logo1_.exe

            Filesize

            31KB

            MD5

            ce1f722d56cca54a9b8a771d062bcb15

            SHA1

            0fc2316c20e08befd7f838607d2fb23d7895239d

            SHA256

            a94cf29461d0df4d531e8bb96728134e8fb568a28016f59a33a82775e8f8320f

            SHA512

            39e20028c4bd471ac131a43108a4a9793bd97a092b845e2125fb3acd9d3471430d69ca68382845fec2c8e6ef52f70b4f02e9b66bb8028eb4e51d56eabad8c18f

          • F:\$RECYCLE.BIN\S-1-5-21-2238466657-712128251-1221219315-1000\_desktop.ini

            Filesize

            9B

            MD5

            8d5d367ed8a2afc1fc0b8fc7d14da98c

            SHA1

            fddfad39cd8b448d0d3dbb6e9c67752999568783

            SHA256

            93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6

            SHA512

            3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

          • memory/812-9-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/812-2488-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/812-2491-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/812-10075-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/4672-0-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/4672-11-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB