Overview

overview

8

Static

static

415fc7deaf...f6.exe

windows7-x64

8

415fc7deaf...f6.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe

  • Size

    243KB

  • MD5

    84c3d5e82d228a1099b370e6dbcc1a30

  • SHA1

    7415400c2112a608e4f8df69fd3804e2659c5ea9

  • SHA256

    415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6

  • SHA512

    54ceef2c05c1444a9ee5dc1798312898ec5d3ba61c03636691917eb9dc6fe500a9fbefe469eb3921eb74767b3993e50da74dd07bb636779210bb2a8081ab6a92

  • SSDEEP

    3072:aq+kzUMIXLZdz1gfOkwgPf0/HJqCQbKjn905m9gtcz5b7ehDhdj97n9tSPHG7jgQ:V+kzUMIbZdzmGknwBJb7qhKPm7jY4

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1424
      • C:\Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe
        "C:\Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:276
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a143D.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1360
            • C:\Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe
              "C:\Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe"
              4⤵
              • Executes dropped EXE
              PID:1708
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:284
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:540
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1780
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:832
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1900

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a143D.bat
            Filesize

            722B

            MD5

            e8254d5894e803a60280e691965c8510

            SHA1

            b01422320c113c66816a5b82a11db269a53eddfa

            SHA256

            c4f668b56492fd6cfb6fd93f2162c54e9a2b7b0c385b9a793b60d5efe69b3e45

            SHA512

            74cf8fbe763cca1544e4fd051e8da7612cb54de42fa7eb6635d4f70f8a3b296ca68fef04a7b165aed8c0d4369202573be38b2e0628d0a06d8143e53121c279b1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe
            Filesize

            181KB

            MD5

            18d43e6807f489142a4c2e1ed21b1b39

            SHA1

            14f7024ea93c2b5d90e972e7dab60f848777ff6b

            SHA256

            45287a4eecc40db7194039f09e955735e169949f09cdd1f172c43681805daf66

            SHA512

            c88bd89965aefe3b89ce2d70a9321c9c0196c7e450cb3c2933ffcb646a3db4c0e34642a046906e3a8505a1bcd2170765cfdea99a1b3e8e6a7b388d1eaaf29fc2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe.exe
            Filesize

            181KB

            MD5

            18d43e6807f489142a4c2e1ed21b1b39

            SHA1

            14f7024ea93c2b5d90e972e7dab60f848777ff6b

            SHA256

            45287a4eecc40db7194039f09e955735e169949f09cdd1f172c43681805daf66

            SHA512

            c88bd89965aefe3b89ce2d70a9321c9c0196c7e450cb3c2933ffcb646a3db4c0e34642a046906e3a8505a1bcd2170765cfdea99a1b3e8e6a7b388d1eaaf29fc2

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            61KB

            MD5

            15a36510467f0539d3118f1153a68890

            SHA1

            b498571cd6b38896ff732dd3d137325faf40b40f

            SHA256

            b7cd9bb6fe5df020606b4d8d3a3112faf69b742fd59020f00d7e7566ab3d919d

            SHA512

            8c4d0c3483748b3f33e9f28b298bf7255664b3fab1cf93d97443d7a134a4bb12374e31e9189686f0a4c1c0963c2c50544a133da88cd7b989ff0b4632e1467277

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            61KB

            MD5

            15a36510467f0539d3118f1153a68890

            SHA1

            b498571cd6b38896ff732dd3d137325faf40b40f

            SHA256

            b7cd9bb6fe5df020606b4d8d3a3112faf69b742fd59020f00d7e7566ab3d919d

            SHA512

            8c4d0c3483748b3f33e9f28b298bf7255664b3fab1cf93d97443d7a134a4bb12374e31e9189686f0a4c1c0963c2c50544a133da88cd7b989ff0b4632e1467277

            Download Submit

          • C:\Windows\uninstall\rundl132.exe
            Filesize

            61KB

            MD5

            15a36510467f0539d3118f1153a68890

            SHA1

            b498571cd6b38896ff732dd3d137325faf40b40f

            SHA256

            b7cd9bb6fe5df020606b4d8d3a3112faf69b742fd59020f00d7e7566ab3d919d

            SHA512

            8c4d0c3483748b3f33e9f28b298bf7255664b3fab1cf93d97443d7a134a4bb12374e31e9189686f0a4c1c0963c2c50544a133da88cd7b989ff0b4632e1467277

            Download Submit

          • \Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe
            Filesize

            181KB

            MD5

            18d43e6807f489142a4c2e1ed21b1b39

            SHA1

            14f7024ea93c2b5d90e972e7dab60f848777ff6b

            SHA256

            45287a4eecc40db7194039f09e955735e169949f09cdd1f172c43681805daf66

            SHA512

            c88bd89965aefe3b89ce2d70a9321c9c0196c7e450cb3c2933ffcb646a3db4c0e34642a046906e3a8505a1bcd2170765cfdea99a1b3e8e6a7b388d1eaaf29fc2

            Download Submit

          • \Users\Admin\AppData\Local\Temp\415fc7deafa34c0368bd636bfc550d2f442d74d5d39f2f18739b4a677d1c51f6.exe
            Filesize

            181KB

            MD5

            18d43e6807f489142a4c2e1ed21b1b39

            SHA1

            14f7024ea93c2b5d90e972e7dab60f848777ff6b

            SHA256

            45287a4eecc40db7194039f09e955735e169949f09cdd1f172c43681805daf66

            SHA512

            c88bd89965aefe3b89ce2d70a9321c9c0196c7e450cb3c2933ffcb646a3db4c0e34642a046906e3a8505a1bcd2170765cfdea99a1b3e8e6a7b388d1eaaf29fc2

            Download Submit

          • memory/276-55-0x0000000000000000-mapping.dmp

            Download

          • memory/284-72-0x0000000000020000-0x0000000000040000-memory.dmp

            Filesize

            128KB

            Download

          • memory/284-78-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/284-77-0x0000000000020000-0x0000000000040000-memory.dmp

            Filesize

            128KB

            Download

          • memory/284-59-0x0000000000000000-mapping.dmp

            Download

          • memory/284-73-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/540-63-0x0000000000000000-mapping.dmp

            Download

          • memory/832-75-0x0000000000000000-mapping.dmp

            Download

          • memory/1124-54-0x0000000000000000-mapping.dmp

            Download

          • memory/1360-58-0x0000000000000000-mapping.dmp

            Download

          • memory/1492-56-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1492-57-0x0000000000020000-0x0000000000040000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1492-61-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1708-68-0x0000000000000000-mapping.dmp

            Download

          • memory/1708-71-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1780-69-0x0000000000000000-mapping.dmp

            Download

          • memory/1900-76-0x0000000000000000-mapping.dmp

            Download