Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2025, 17:43

General

  • Target

    f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe

  • Size

    32KB

  • MD5

    cdaabb480b7d3c10c6f4f451c8c08d69

  • SHA1

    667ce007c73b1d663decd86d730227569d23acbb

  • SHA256

    f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842

  • SHA512

    389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31

  • SSDEEP

    768:5EW5CT2ljlL5b+n8WF6mucTqDf2KDVOPLa:5Eaj95b+n8wKcTDKDVO

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3564
      • C:\Users\Admin\AppData\Local\Temp\f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe
        "C:\Users\Admin\AppData\Local\Temp\f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4156
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4732

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe

            Filesize

            6.6MB

            MD5

            6858c486d9d5801afd025d02933b9767

            SHA1

            bc61dfe25512e9dc96299903c68f83fd56208d4d

            SHA256

            c6818e77bcad67e77ce79c01ef5fa59c8a490a7834792967b41434fc38529766

            SHA512

            3dca059c8ee0dbbd32f8a0afa62463876ac797ab93dbcded327d83492c912db8c89bcd6dbcf85479b37677cdd3c8248c270e41dedc56bd6552799a534f697e58

          • F:\$RECYCLE.BIN\S-1-5-21-3008489981-1977616533-741913813-1000\_desktop.ini

            Filesize

            9B

            MD5

            8d5d367ed8a2afc1fc0b8fc7d14da98c

            SHA1

            fddfad39cd8b448d0d3dbb6e9c67752999568783

            SHA256

            93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6

            SHA512

            3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

          • memory/1612-0-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

          • memory/1612-2207-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

          • memory/1612-2216-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

          • memory/1612-9756-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB