Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2025, 17:36

General

  • Target

    bbafeb64d47ac245717e2586b6233fba8273bf476ca4c7edc8803872f039c629.exe

  • Size

    6.0MB

  • MD5

    18a7652498ab6901ed9f2e36c8b7b2b5

  • SHA1

    3c86ee20d73abaa5b6ab810b2a7194bddc5b1bdd

  • SHA256

    bbafeb64d47ac245717e2586b6233fba8273bf476ca4c7edc8803872f039c629

  • SHA512

    a1639ed0e73756e53a7c37c575d9a4cdbcd3bbd4b6750324f1da1c4d6fb7beb2a0e4252f0ad9e5ece59363eb3dbe031167d9d79a3fda15a09cf16e5c744c1213

  • SSDEEP

    98304:bYOXwnS4rVjx1LVt0Q7+Cga0Kt14vgp4R9x:8IG1Jjj14Yp4T

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\bbafeb64d47ac245717e2586b6233fba8273bf476ca4c7edc8803872f039c629.exe
        "C:\Users\Admin\AppData\Local\Temp\bbafeb64d47ac245717e2586b6233fba8273bf476ca4c7edc8803872f039c629.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3580
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5088

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\Uninstall.exe

            Filesize

            6.0MB

            MD5

            45817f9ce242dfaaf8b52ecc67401e07

            SHA1

            0d7af83d1c7dc24c5b8416f1b2816b6f89b7c82d

            SHA256

            45f16a7eb075379b3878b5194f1a79390b87c61c69eb05becaff69d596a7c6d2

            SHA512

            22c9912d5436fe28ed81da4d8bc244ea4a3bb497c14f201aa86db600916b3e80be98765fefa41b51edf0b59bff1b3073fda6929be939233998efa92283d796fd

          • F:\$RECYCLE.BIN\S-1-5-21-2866795425-63786011-2927312124-1000\_desktop.ini

            Filesize

            9B

            MD5

            8d5d367ed8a2afc1fc0b8fc7d14da98c

            SHA1

            fddfad39cd8b448d0d3dbb6e9c67752999568783

            SHA256

            93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6

            SHA512

            3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

          • memory/3936-0-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB

          • memory/3936-3-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB