Overview

overview

8

Static

static

495abc8b93...b1.exe

windows7-x64

8

495abc8b93...b1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    208s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe

  • Size

    431KB

  • MD5

    916fa6842739dfa6ac86a2ed5b327fd0

  • SHA1

    19e0c9550b394466120daa26ca7b93de38dc7a24

  • SHA256

    495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1

  • SHA512

    8b7a9320cb9016b612481ad63f45150dd5cf2b511246e48983f20f912e51c89350a8548ae51986df148633742e12c4ebf1108c1a7f0f922fbdec8f1b44133985

  • SSDEEP

    6144:B+aX3u6gT9op9A6TyE3ktD2OILj6c1EpQ+mpGS4nbGdLnVsT6szo0naGI:B+a9gx1yLbmpQ+AGSqb+IPaGI

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe
        "C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:948
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1420
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5FA.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1440
            • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe
              "C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe"
              4⤵
              • Executes dropped EXE
              PID:660
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1768
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:648
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:828
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:916
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:672

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a5FA.bat
            Filesize

            721B

            MD5

            17e7e1d427bd2b3eb8014f6608c1d146

            SHA1

            2d1ade5352bde69b68736f7220b23ec8617ac69d

            SHA256

            c1a9b55ce4947a50bdc60e82527db69606155240c153d92606f15f7553ee0ff8

            SHA512

            36a10c92d3cfd65b22ed34e789aa46a0e515e5c19049203e7d87e6a1f692758988b43d125f5e1752e3eef2e5d365e153db301f02fe5b18bf9bf38550e544f798

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe
            Filesize

            398KB

            MD5

            ffefff1799d19de8f8d240bfc945775f

            SHA1

            2b77461bfaab6ee9d0dae522922865a0d6fbddd7

            SHA256

            6f20af99781fb61bd199c9594db183d972779d8543cd0d006c2fa63ed9c76c42

            SHA512

            307aeb0c1c24eae962fb5cec1276786abfa1a02141cd4195e25136c05191ec0f36598b441b8776ad094ce6c5fc2865ba76d318b6d8be1ef8866724622f48688e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe.exe
            Filesize

            398KB

            MD5

            ffefff1799d19de8f8d240bfc945775f

            SHA1

            2b77461bfaab6ee9d0dae522922865a0d6fbddd7

            SHA256

            6f20af99781fb61bd199c9594db183d972779d8543cd0d006c2fa63ed9c76c42

            SHA512

            307aeb0c1c24eae962fb5cec1276786abfa1a02141cd4195e25136c05191ec0f36598b441b8776ad094ce6c5fc2865ba76d318b6d8be1ef8866724622f48688e

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            83bea2b007b8fd1813be2345a1292546

            SHA1

            5fd98e2a3cdcb930daeeb83f5e1140164ae8ee2b

            SHA256

            f18b6f11abf725756e86ff9c1baf7b8d35afb45e259ab0d79529d6292e14879f

            SHA512

            8ae46e92738289d2479ba9fecc7d4d484323d202acb796fa940933c8b63d978aaf9705f2d637be8665cdf1ba0eb6f3857f6d3cd60ed46ad7e94021d5153cba9a

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            83bea2b007b8fd1813be2345a1292546

            SHA1

            5fd98e2a3cdcb930daeeb83f5e1140164ae8ee2b

            SHA256

            f18b6f11abf725756e86ff9c1baf7b8d35afb45e259ab0d79529d6292e14879f

            SHA512

            8ae46e92738289d2479ba9fecc7d4d484323d202acb796fa940933c8b63d978aaf9705f2d637be8665cdf1ba0eb6f3857f6d3cd60ed46ad7e94021d5153cba9a

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            83bea2b007b8fd1813be2345a1292546

            SHA1

            5fd98e2a3cdcb930daeeb83f5e1140164ae8ee2b

            SHA256

            f18b6f11abf725756e86ff9c1baf7b8d35afb45e259ab0d79529d6292e14879f

            SHA512

            8ae46e92738289d2479ba9fecc7d4d484323d202acb796fa940933c8b63d978aaf9705f2d637be8665cdf1ba0eb6f3857f6d3cd60ed46ad7e94021d5153cba9a

            Download Submit

          • \Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe
            Filesize

            398KB

            MD5

            ffefff1799d19de8f8d240bfc945775f

            SHA1

            2b77461bfaab6ee9d0dae522922865a0d6fbddd7

            SHA256

            6f20af99781fb61bd199c9594db183d972779d8543cd0d006c2fa63ed9c76c42

            SHA512

            307aeb0c1c24eae962fb5cec1276786abfa1a02141cd4195e25136c05191ec0f36598b441b8776ad094ce6c5fc2865ba76d318b6d8be1ef8866724622f48688e

            Download Submit

          • memory/660-69-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/960-60-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/960-56-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1768-70-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1768-74-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download