Overview

overview

7

Static

static

26b830aed7...06.exe

windows7-x64

7

26b830aed7...06.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    204s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26b830aed74c3b8430ffed09cff32ff19fa833bd2216c1be42322af7c53f0706.exe

  • Size

    42KB

  • MD5

    0d95d37aca63976b5236ee4903ea500c

  • SHA1

    4cf56e341c7e04bfaa806c932aff4fe1b275377a

  • SHA256

    26b830aed74c3b8430ffed09cff32ff19fa833bd2216c1be42322af7c53f0706

  • SHA512

    40513867e83daa289c257c2b2056191e6588215db43d653de1703455f1ba076eaa5218a912ede1c943f4a3663ed47390926c4f2c05411ed8d7c8688b944e1b25

  • SSDEEP

    768:4ATmi5qNWxmcnc8uK8fNh4wD5dqJ2F6ePBs06uaPVHn9Vb5q37BxrkXDjwLn:jTYN2myxu9Nn6J2Fhs0HadHnDbK7Bxr1

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:700
      • C:\Users\Admin\AppData\Local\Temp\26b830aed74c3b8430ffed09cff32ff19fa833bd2216c1be42322af7c53f0706.exe
        "C:\Users\Admin\AppData\Local\Temp\26b830aed74c3b8430ffed09cff32ff19fa833bd2216c1be42322af7c53f0706.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4376
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4168

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2900-132-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2900-135-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download