Overview

overview

8

Static

static

886e8c24ad...df.exe

windows7-x64

8

886e8c24ad...df.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df.exe

  • Size

    121KB

  • MD5

    1c6d0a9cf0b66e421fa982e3e4ec9776

  • SHA1

    ec597ecc8548f6486cceeb4bf1723a8c563a835a

  • SHA256

    886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df

  • SHA512

    b99cbce6a153b764d5093f90d9b18c1d409d1b44b1d54ea8d0e26857b1723277a3a2b8003ae550a39794834d8127a7251c19305a46c0d2ac05988da1096f8267

  • SSDEEP

    3072:PwaY46tGNttyJQ7KRBNf3wRqQxKvxnsRcaC:Y46tGdyRPeyxT

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:980
      • C:\Users\Admin\AppData\Local\Temp\886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df.exe
        "C:\Users\Admin\AppData\Local\Temp\886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4812
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1780
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD4F8.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2352
            • C:\Users\Admin\AppData\Local\Temp\886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df.exe
              "C:\Users\Admin\AppData\Local\Temp\886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:3128
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Drops startup file
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1180
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1412
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1900
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4056

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aD4F8.bat
            Filesize

            722B

            MD5

            4618befcd69ec0a989aad1bd44461c3b

            SHA1

            6e1de53848c45bee2ff04722772df04b74c09f1a

            SHA256

            a60c12f4227c4dac15c2c22f90d9bea3320c9640decc65184aff6027d5185588

            SHA512

            3507068eb65194566a6a40830e70d03bf72f743b77ee7122ee1944c32067ad725af346f343a4bf6ead6ef4b0b9617919d85ba4da794be4077a464ddbc5ff6569

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df.exe
            Filesize

            88KB

            MD5

            9f480ae6157a5f6494343702163f9ed1

            SHA1

            65fed913b986aaa19e4287bee72170f4e3bc71e4

            SHA256

            573ef3707a5a7fd58dd7e529c1a9f19d1e5f2f68df1be157080bc830e8a3d97d

            SHA512

            ca20f65fdfc080e4b9a7cd786ba8cd174dd651469d758c94f82661f213faec3dd772f0f843dee6e72c7b78ffd99c5deacccc11f0bd93c924909aa1fe77f8831d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\886e8c24ade86028836b99f8c3e1a967bc870b2470c3fa707476ec265e9504df.exe.exe
            Filesize

            88KB

            MD5

            9f480ae6157a5f6494343702163f9ed1

            SHA1

            65fed913b986aaa19e4287bee72170f4e3bc71e4

            SHA256

            573ef3707a5a7fd58dd7e529c1a9f19d1e5f2f68df1be157080bc830e8a3d97d

            SHA512

            ca20f65fdfc080e4b9a7cd786ba8cd174dd651469d758c94f82661f213faec3dd772f0f843dee6e72c7b78ffd99c5deacccc11f0bd93c924909aa1fe77f8831d

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            fd4d8de3b2a84d826f8cbb041578dd83

            SHA1

            01402685a8ccad998d16e01f02b1ea4bb5a99b6c

            SHA256

            acf0f42a040f9cbc3f9ac288160b49488a632490c281768c67936ba61b6b6341

            SHA512

            4acb4696361f5a2d62bf09b49c6e609640d4d8753b5971451635ee9d91a9f021cf21d3e3494017f35d85d3deb408900bfa49f71b75e5be8401e8cee03b4e93d3

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            fd4d8de3b2a84d826f8cbb041578dd83

            SHA1

            01402685a8ccad998d16e01f02b1ea4bb5a99b6c

            SHA256

            acf0f42a040f9cbc3f9ac288160b49488a632490c281768c67936ba61b6b6341

            SHA512

            4acb4696361f5a2d62bf09b49c6e609640d4d8753b5971451635ee9d91a9f021cf21d3e3494017f35d85d3deb408900bfa49f71b75e5be8401e8cee03b4e93d3

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            fd4d8de3b2a84d826f8cbb041578dd83

            SHA1

            01402685a8ccad998d16e01f02b1ea4bb5a99b6c

            SHA256

            acf0f42a040f9cbc3f9ac288160b49488a632490c281768c67936ba61b6b6341

            SHA512

            4acb4696361f5a2d62bf09b49c6e609640d4d8753b5971451635ee9d91a9f021cf21d3e3494017f35d85d3deb408900bfa49f71b75e5be8401e8cee03b4e93d3

            Download Submit

          • memory/2204-138-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2204-132-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2412-146-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2412-150-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download