Overview

overview

8

Static

static

4a2d5bcabf...5a.exe

windows7-x64

8

4a2d5bcabf...5a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a.exe

  • Size

    121KB

  • MD5

    085c34714071458bbf95588791ce1b33

  • SHA1

    3380f65b05ab5025e1e63f1892fffb8164768084

  • SHA256

    4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a

  • SHA512

    96d30ab7f7ecfbccc2e3c8119957c6be3423ccd99b0c140ef79c00f9b800c76734869ed2f4602476baf770887ca64206a3272a3e233f67ee7a0297b064303632

  • SSDEEP

    1536:27qnkAQtSaoGo5n4iLG0/WM6HGHSaYqemmjxi2uC+ysafJe6QEM:nCSjGoLpWM6slmjxNu4JBXk

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2664
      • C:\Users\Admin\AppData\Local\Temp\4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a.exe
        "C:\Users\Admin\AppData\Local\Temp\4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1432
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB470.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\Users\Admin\AppData\Local\Temp\4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a.exe
              "C:\Users\Admin\AppData\Local\Temp\4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a.exe"
              4⤵
              • Executes dropped EXE
              PID:4148
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3068
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1564
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3624
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3172

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aB470.bat
            Filesize

            722B

            MD5

            472137bffdd8b933bf9f9e2fa868fd45

            SHA1

            6e92c62ea8d5c4e51525936a276e2cfd3c33f4ef

            SHA256

            a02fda3480e8b248468211a6c9d760b087186a310a209121e9155d9faf0ffcbf

            SHA512

            218c9e1b64c2de06ec3f459947e624003961aae5eff6a0d5ea38cf5a1ed04496fa7ecdb463b22eb8148107e496181236708902f259145a44ca0f72da1c784084

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a.exe
            Filesize

            28KB

            MD5

            a8f5f83037e906d2e9e099c35c239197

            SHA1

            fc4419c022afd2e92eef60ca57f1ada48354bfea

            SHA256

            1e1bf35df960dc94de265ac6715233ca908819149526c7cf01a31ccb418bdc1a

            SHA512

            3249baf8558fe493f417e4ad1053b26f216c45ff9e08742c5fbf676ad013bc9aedb6eab5c72601a3df12e0a77ed721b2382ef43c5e190ad26c2d5c5e94ca5c23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4a2d5bcabfafe890daf62ef6fa23070dfbd14a04d3753b89e0380cab9cc8c65a.exe.exe
            Filesize

            28KB

            MD5

            a8f5f83037e906d2e9e099c35c239197

            SHA1

            fc4419c022afd2e92eef60ca57f1ada48354bfea

            SHA256

            1e1bf35df960dc94de265ac6715233ca908819149526c7cf01a31ccb418bdc1a

            SHA512

            3249baf8558fe493f417e4ad1053b26f216c45ff9e08742c5fbf676ad013bc9aedb6eab5c72601a3df12e0a77ed721b2382ef43c5e190ad26c2d5c5e94ca5c23

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            93KB

            MD5

            4812c27e497de8c92c4a81863796caae

            SHA1

            392223229195aff1c13383d87e2650288091cda9

            SHA256

            b34edb82a325d51d912bdc6fe03bbc17fe7c3bf6a5bf830882197c81ca61b41f

            SHA512

            949016e5a7fb80df83876cc7d31d71b70cd1c1c7e576eb33de8922c4f724e52f93886f3fdb54538fdb94aafa387203917f4f78590f0e8d14e8b1a3ce24a7787a

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            93KB

            MD5

            4812c27e497de8c92c4a81863796caae

            SHA1

            392223229195aff1c13383d87e2650288091cda9

            SHA256

            b34edb82a325d51d912bdc6fe03bbc17fe7c3bf6a5bf830882197c81ca61b41f

            SHA512

            949016e5a7fb80df83876cc7d31d71b70cd1c1c7e576eb33de8922c4f724e52f93886f3fdb54538fdb94aafa387203917f4f78590f0e8d14e8b1a3ce24a7787a

            Download Submit

          • C:\Windows\uninstall\rundl132.exe
            Filesize

            93KB

            MD5

            4812c27e497de8c92c4a81863796caae

            SHA1

            392223229195aff1c13383d87e2650288091cda9

            SHA256

            b34edb82a325d51d912bdc6fe03bbc17fe7c3bf6a5bf830882197c81ca61b41f

            SHA512

            949016e5a7fb80df83876cc7d31d71b70cd1c1c7e576eb33de8922c4f724e52f93886f3fdb54538fdb94aafa387203917f4f78590f0e8d14e8b1a3ce24a7787a

            Download Submit