Overview

overview

8

Static

static

a7f21ecf4c...93.exe

windows7-x64

8

a7f21ecf4c...93.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 00:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe

  • Size

    121KB

  • MD5

    0a7aa243845b1a597bf3138f0bcb0ce8

  • SHA1

    569d53e28f34d6545baa43e59cc222fa57851ad5

  • SHA256

    a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93

  • SHA512

    7876f1b9fff584709f80e511585c42b80a27478ef87edbde63129fdba97641150d3306fc02ee18762333e796736f5bd410b175db4a77a48c1e363feead56ba24

  • SSDEEP

    1536:/BOWsrz8VuJlMXaDuiNik1JCXf3l9izMfUBRq/YxiLvxnjXIRXMMGBkyJMjZROYc:/By8ulMXaKpNf3wRqQxKvxnsRcaC

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe
        "C:\Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2012
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2BA3.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe
              "C:\Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1380
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1900
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:584
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2016
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1312

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a2BA3.bat
            Filesize

            722B

            MD5

            d29c8e077010bcc32c8f92eb284fbd0d

            SHA1

            0ed5f0cad86b430be1f948298b57efca560d06e1

            SHA256

            6236f6808c8750fe642594f9a4a261d69caffcc289eb27234153e22260fa2b90

            SHA512

            5d2042d2ede43053cce25e653cdc58878894ff892b46d7b8f99d61c826816cdd2f4bc1bb72692dd80e69ca3c79b2613fc7975595c68a862e496a61a0e04ad9d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe
            Filesize

            88KB

            MD5

            9f480ae6157a5f6494343702163f9ed1

            SHA1

            65fed913b986aaa19e4287bee72170f4e3bc71e4

            SHA256

            573ef3707a5a7fd58dd7e529c1a9f19d1e5f2f68df1be157080bc830e8a3d97d

            SHA512

            ca20f65fdfc080e4b9a7cd786ba8cd174dd651469d758c94f82661f213faec3dd772f0f843dee6e72c7b78ffd99c5deacccc11f0bd93c924909aa1fe77f8831d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe.exe
            Filesize

            88KB

            MD5

            9f480ae6157a5f6494343702163f9ed1

            SHA1

            65fed913b986aaa19e4287bee72170f4e3bc71e4

            SHA256

            573ef3707a5a7fd58dd7e529c1a9f19d1e5f2f68df1be157080bc830e8a3d97d

            SHA512

            ca20f65fdfc080e4b9a7cd786ba8cd174dd651469d758c94f82661f213faec3dd772f0f843dee6e72c7b78ffd99c5deacccc11f0bd93c924909aa1fe77f8831d

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            ad4e1f196d99d83c49c257ab73bb1855

            SHA1

            708a4e77f88d7e213a222b7fde846e40e6856f19

            SHA256

            34275a61352ae40d6fb0c53e44167cfc9448bc12911f8744673196f166f6c954

            SHA512

            53426a0e706ac62d919265e7e24d59a7ddb0f43a2ec7c12ec3e08042accabdc105c8e83f803c1d74cc08ef42e8eae192e382eb5ecea58414a0767c2d1112a350

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            ad4e1f196d99d83c49c257ab73bb1855

            SHA1

            708a4e77f88d7e213a222b7fde846e40e6856f19

            SHA256

            34275a61352ae40d6fb0c53e44167cfc9448bc12911f8744673196f166f6c954

            SHA512

            53426a0e706ac62d919265e7e24d59a7ddb0f43a2ec7c12ec3e08042accabdc105c8e83f803c1d74cc08ef42e8eae192e382eb5ecea58414a0767c2d1112a350

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            ad4e1f196d99d83c49c257ab73bb1855

            SHA1

            708a4e77f88d7e213a222b7fde846e40e6856f19

            SHA256

            34275a61352ae40d6fb0c53e44167cfc9448bc12911f8744673196f166f6c954

            SHA512

            53426a0e706ac62d919265e7e24d59a7ddb0f43a2ec7c12ec3e08042accabdc105c8e83f803c1d74cc08ef42e8eae192e382eb5ecea58414a0767c2d1112a350

            Download Submit

          • \Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe
            Filesize

            88KB

            MD5

            9f480ae6157a5f6494343702163f9ed1

            SHA1

            65fed913b986aaa19e4287bee72170f4e3bc71e4

            SHA256

            573ef3707a5a7fd58dd7e529c1a9f19d1e5f2f68df1be157080bc830e8a3d97d

            SHA512

            ca20f65fdfc080e4b9a7cd786ba8cd174dd651469d758c94f82661f213faec3dd772f0f843dee6e72c7b78ffd99c5deacccc11f0bd93c924909aa1fe77f8831d

            Download Submit

          • \Users\Admin\AppData\Local\Temp\a7f21ecf4cf7f47ce4118cea14377db5f850eb86681c6ef31a85ef923071cb93.exe
            Filesize

            88KB

            MD5

            9f480ae6157a5f6494343702163f9ed1

            SHA1

            65fed913b986aaa19e4287bee72170f4e3bc71e4

            SHA256

            573ef3707a5a7fd58dd7e529c1a9f19d1e5f2f68df1be157080bc830e8a3d97d

            SHA512

            ca20f65fdfc080e4b9a7cd786ba8cd174dd651469d758c94f82661f213faec3dd772f0f843dee6e72c7b78ffd99c5deacccc11f0bd93c924909aa1fe77f8831d

            Download Submit

          • memory/584-66-0x0000000000000000-mapping.dmp

            Download

          • memory/1312-74-0x0000000000000000-mapping.dmp

            Download

          • memory/1380-75-0x0000000076121000-0x0000000076123000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1380-71-0x0000000000000000-mapping.dmp

            Download

          • memory/1448-55-0x0000000000000000-mapping.dmp

            Download

          • memory/1572-54-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1572-62-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1572-59-0x0000000000270000-0x00000000002B0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1896-57-0x0000000000000000-mapping.dmp

            Download

          • memory/1900-67-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1900-60-0x0000000000000000-mapping.dmp

            Download

          • memory/1900-77-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1936-64-0x0000000000000000-mapping.dmp

            Download

          • memory/2012-56-0x0000000000000000-mapping.dmp

            Download

          • memory/2016-72-0x0000000000000000-mapping.dmp

            Download