Overview

overview

8

Static

static

4682ad39fe...b9.exe

windows7-x64

8

4682ad39fe...b9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2022 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe

  • Size

    479KB

  • MD5

    4401e035c0f3d776a854ef3cd3cd9080

  • SHA1

    af7eb0ba46b6aae5c5b64c52e3e8a0cceb228de5

  • SHA256

    4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9

  • SHA512

    037af2948cc83d17a9f660a91b03fb63e47fdff6b0652161b343307932928136ae91a2be21519e19517c38578b6fa630caaeaa90ccf2bf214f97a87a1bb4877f

  • SSDEEP

    3072:i1e+aX3K1fOHoqnPzErBJQCObI9bjI95xt5YZ3iV1cebaf4xmVoqiCiRSpnzIpTX:L+aX36WHoqnauRb0czOy/

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
    "C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        3⤵
          PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4847.bat
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
          "C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"
          3⤵
          • Executes dropped EXE
          PID:468
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1780
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:1172
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:1296

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a4847.bat
            Filesize

            722B

            MD5

            101bb7e425ee93c1cb96d731f38c20d1

            SHA1

            cf9e548efdd6cca760f04b898f0c16dd27015861

            SHA256

            e2caee73271fea3d21464ffb86dffab0a3cdf1c51eb182baa56ff782c0303c3c

            SHA512

            d2b9b1f21608746054005fdd7609f0ac1b59bb12df8ce6d1e49aac943f7feace62504886119a48a9b9c84c2e86c88e603aaf0d47a4accd4f2ec1303b6cd50915

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
            Filesize

            446KB

            MD5

            8cb298752db9d1788ba28b747f436fd7

            SHA1

            1b829fd918fb40a3a436546605a376a5b825ed93

            SHA256

            601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537

            SHA512

            743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe.exe
            Filesize

            446KB

            MD5

            8cb298752db9d1788ba28b747f436fd7

            SHA1

            1b829fd918fb40a3a436546605a376a5b825ed93

            SHA256

            601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537

            SHA512

            743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            f1042a7378ce88282deb18ef35670908

            SHA1

            818edb3673dc52f46cf7fb5b82b6e47101b91038

            SHA256

            55a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb

            SHA512

            cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            f1042a7378ce88282deb18ef35670908

            SHA1

            818edb3673dc52f46cf7fb5b82b6e47101b91038

            SHA256

            55a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb

            SHA512

            cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            f1042a7378ce88282deb18ef35670908

            SHA1

            818edb3673dc52f46cf7fb5b82b6e47101b91038

            SHA256

            55a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb

            SHA512

            cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079

            Download Submit

          • \Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
            Filesize

            446KB

            MD5

            8cb298752db9d1788ba28b747f436fd7

            SHA1

            1b829fd918fb40a3a436546605a376a5b825ed93

            SHA256

            601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537

            SHA512

            743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb

            Download Submit

          • \Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
            Filesize

            446KB

            MD5

            8cb298752db9d1788ba28b747f436fd7

            SHA1

            1b829fd918fb40a3a436546605a376a5b825ed93

            SHA256

            601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537

            SHA512

            743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb

            Download Submit

          • memory/960-60-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/960-56-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1768-63-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1768-74-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download