Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2025, 17:36

General

  • Target

    f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe

  • Size

    211KB

  • MD5

    e912f9a8d3949365f9e464f6ae956f18

  • SHA1

    3f09166515517e057ecd46646bdf6a4b4414e92d

  • SHA256

    f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd

  • SHA512

    e720463f54d52b908f62afc83252dbcc4f4821f494df2bc93aa52cfbdd6a133d2b3cfa6e87c589c89aec92fbfc5950eb3e64fa53a32818e389c7a38f49b2d5cf

  • SSDEEP

    6144:NU+azbRZvhGNUl462K4TSFo5Y683TdiQ:NU+azbvwNU+aKgh

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe
        "C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4748
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5C68.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1012
          • C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe
            "C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            PID:2252
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1236
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4868
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2332
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4952
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5084

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe

            Filesize

            138KB

            MD5

            a11372a95cce0bbd8a0ce60729ddf74b

            SHA1

            074f38c75ffeac822e2c93c316bfd96bb8bf785c

            SHA256

            5bd62949e133801618e53482c6bd8667a3f02f8d6f6cf8c1442df4073260bd2d

            SHA512

            4819b1e3cf7c601210b63849abd66e41a6e2dc006e0de9a8041814663ed21aa0eff942fba3df67b1f91a3ae4f1c1d990baebe7c67e708e76c6e5c2898513d406

          • C:\Program Files\7-Zip\7z.exe

            Filesize

            588KB

            MD5

            75eba632fa745295d5074956b90bb922

            SHA1

            f6c75dadbe487f776e18f8dac540b0910fdd7ebe

            SHA256

            0e862fcacb2b779cad40e4d9ba214ccd4d1ffab5e350935118f0ed8dbe6e9dd6

            SHA512

            234a46b58624603f683e62a07ff2ba036855c061e6cf184cf16ff81b47680c691a169873dd660f7d423b1598275d81762a211a646567eadf9574fa8904b1846a

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

            Filesize

            494KB

            MD5

            291d8d0cec3232f9755eb64c15a0f16f

            SHA1

            ffa8dae6872abbaadb7f420ff46a6654d481ef2a

            SHA256

            71506ca9b022ea1e70b54e6171442c1a35e82d9c1f3a12701f3af3045209ee0f

            SHA512

            a7b8813934510c7454ca0b1e17bf5b443ea0544b8c16f0c571470eaeb5cafb52e6c2b8ec07e0c98c8247c7ace199303ab74629c8bb0ec24b72bb4864b7743581

          • C:\Users\Admin\AppData\Local\Temp\$$a5C68.bat

            Filesize

            722B

            MD5

            a4743fc3dabea14c72da5ee139f151a3

            SHA1

            549e6053005c08789816af81bb90001fe0f7e917

            SHA256

            78555ae19b0c487533a1c7df3f0f89e5637de776c920f7f90fd3fba1c833dd09

            SHA512

            9423fd155de2b0aa9d4ee162517ce06fc07997e271386bf37c926d421601c94fe093f55ada6cadcaadc6411385ba370fe78471d63a57aebde26ba4e5c4dd0107

          • C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe.exe

            Filesize

            172KB

            MD5

            b6e281bf0e2c2f182f1537bc5148faa9

            SHA1

            0d6aac1d3c5709084ae6ee5cce7f8b29df2cd4ca

            SHA256

            5238261f80d3683101d2ef2242d92c3719a92a63c45a211c7973b831dd318f36

            SHA512

            442776a93bf23cb69c6437ba72851bcb5dc4b90c9b03f53f37177fd271e834247b3a1f0c6ed8724e5490b59f2465afe5668513efd9cd3aeafed3aaa071416576

          • C:\Windows\Logo1_.exe

            Filesize

            39KB

            MD5

            1a12f352652e096ecd946fc1fa035a3f

            SHA1

            725f446ec095d1edb6d43bb638ab91565247114c

            SHA256

            ef2b389dd83dd2ea7e0c248907a09e8ec5aceb309a723382cad99c2a85a5f89a

            SHA512

            0a13e1800a316730a182e497f994194d561287acd85d37606001a9072c0d5d5683ab715c0a2c28a5b07cff12304f59a187a11620ebfdeadb722a17ea40bf2214

          • F:\$RECYCLE.BIN\S-1-5-21-4097847965-469305640-2969917343-1000\_desktop.ini

            Filesize

            9B

            MD5

            8d5d367ed8a2afc1fc0b8fc7d14da98c

            SHA1

            fddfad39cd8b448d0d3dbb6e9c67752999568783

            SHA256

            93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6

            SHA512

            3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

          • memory/736-8-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/736-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1236-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1236-1673-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1236-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1236-9500-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/1236-9792-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB