Overview

overview

8

Static

static

5b0178b100...44.exe

windows7-x64

8

5b0178b100...44.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    151s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe

  • Size

    73KB

  • MD5

    283603429b2312747522fa5f9ceeb31c

  • SHA1

    1a44fef13109c2978d4bbe1b4ba87f28b3c227bb

  • SHA256

    5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244

  • SHA512

    6081f7c9637856a299cdc189d2ca9c06b049a41095492255a779006c8743c72baa318caf7a8391d3468b9b642469bf3aa1abca739a8346372a7240c80c7fbbde

  • SSDEEP

    1536:z7djD2JPlhxaqkm8w0qwxmX1jNYGyF9jmQ6zNq+PhsIyzN5neQlyuI2:nF2RlzZFR7VVX4BmhzYehsBR5neEXI2

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe
        "C:\Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1148
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1692
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a14AA.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe
              "C:\Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe"
              4⤵
              • Executes dropped EXE
              PID:276
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1540
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:268
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1020
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1812
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1388

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a14AA.bat
            Filesize

            722B

            MD5

            98e21de78f5eae9ad68badd043e03bb3

            SHA1

            5fa681cec9bf69abed0549d5c018fd9d086b3814

            SHA256

            0c8ef309b84d25777d8ee9ef238843547a7d5e4e442842fe4e97209a5baea389

            SHA512

            d22f26aff63200ddf92368d38669b747523060e9edf400a0a43223209bfa809e2213e9b7fb9c8f495848b2bb186ab29be82f949e6b3c1386a8ad703d32dff310

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe
            Filesize

            8KB

            MD5

            4626e80b9e51f5286dc658453c6c06cd

            SHA1

            ba6ffe090987faadd875dfb784c89aae28b9ba87

            SHA256

            552202f7e7f96dc3a1c0552618fe79be1be61cff34c332f822a41acab2d10e8a

            SHA512

            dc9bef28a50a008165137a1e72f353ebe8a5f06f1ea1cbf3095bda402ab2cbc61414612902f04549120b205537f4c3ec6f1228775df1cedef355ac4fb4c42255

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe.exe
            Filesize

            8KB

            MD5

            4626e80b9e51f5286dc658453c6c06cd

            SHA1

            ba6ffe090987faadd875dfb784c89aae28b9ba87

            SHA256

            552202f7e7f96dc3a1c0552618fe79be1be61cff34c332f822a41acab2d10e8a

            SHA512

            dc9bef28a50a008165137a1e72f353ebe8a5f06f1ea1cbf3095bda402ab2cbc61414612902f04549120b205537f4c3ec6f1228775df1cedef355ac4fb4c42255

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            65KB

            MD5

            f709738b65f30c7e2fe9451036718e14

            SHA1

            adfd1b48e6101f9ae093edb2d5d1ad2bd5864186

            SHA256

            40a64b896e33dd34629efca30d54079a618bf0f1481c04b100d0477c02e1ece5

            SHA512

            58f3f8a03e291c3051e0e246624b9527401106a6f9a477c7fa66b9de6ffc2d9a4206dbf2fd9a6b7a061075c27b7b39d1e158c66f8540c3bf639ad1b9063a1922

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            65KB

            MD5

            f709738b65f30c7e2fe9451036718e14

            SHA1

            adfd1b48e6101f9ae093edb2d5d1ad2bd5864186

            SHA256

            40a64b896e33dd34629efca30d54079a618bf0f1481c04b100d0477c02e1ece5

            SHA512

            58f3f8a03e291c3051e0e246624b9527401106a6f9a477c7fa66b9de6ffc2d9a4206dbf2fd9a6b7a061075c27b7b39d1e158c66f8540c3bf639ad1b9063a1922

            Download Submit

          • C:\Windows\uninstall\rundl132.exe
            Filesize

            65KB

            MD5

            f709738b65f30c7e2fe9451036718e14

            SHA1

            adfd1b48e6101f9ae093edb2d5d1ad2bd5864186

            SHA256

            40a64b896e33dd34629efca30d54079a618bf0f1481c04b100d0477c02e1ece5

            SHA512

            58f3f8a03e291c3051e0e246624b9527401106a6f9a477c7fa66b9de6ffc2d9a4206dbf2fd9a6b7a061075c27b7b39d1e158c66f8540c3bf639ad1b9063a1922

            Download Submit

          • \Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe
            Filesize

            8KB

            MD5

            4626e80b9e51f5286dc658453c6c06cd

            SHA1

            ba6ffe090987faadd875dfb784c89aae28b9ba87

            SHA256

            552202f7e7f96dc3a1c0552618fe79be1be61cff34c332f822a41acab2d10e8a

            SHA512

            dc9bef28a50a008165137a1e72f353ebe8a5f06f1ea1cbf3095bda402ab2cbc61414612902f04549120b205537f4c3ec6f1228775df1cedef355ac4fb4c42255

            Download Submit

          • \Users\Admin\AppData\Local\Temp\5b0178b100b2dfce87329409ba540d774cd8c67f6015384bf0c531d7e6ec0244.exe
            Filesize

            8KB

            MD5

            4626e80b9e51f5286dc658453c6c06cd

            SHA1

            ba6ffe090987faadd875dfb784c89aae28b9ba87

            SHA256

            552202f7e7f96dc3a1c0552618fe79be1be61cff34c332f822a41acab2d10e8a

            SHA512

            dc9bef28a50a008165137a1e72f353ebe8a5f06f1ea1cbf3095bda402ab2cbc61414612902f04549120b205537f4c3ec6f1228775df1cedef355ac4fb4c42255

            Download Submit

          • memory/276-68-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1308-57-0x0000000000020000-0x0000000000040000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1308-54-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1308-61-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1540-73-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1540-72-0x0000000000020000-0x0000000000040000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1540-77-0x0000000000020000-0x0000000000040000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1540-78-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download