Overview

overview

8

Static

static

7849103402...55.exe

windows7-x64

8

7849103402...55.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55.exe

  • Size

    537KB

  • MD5

    1e770568a61e39f9aa0c8958859e2b50

  • SHA1

    ee91b154d3cc2815a1a828aadcd3b714a0a6a707

  • SHA256

    78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55

  • SHA512

    772a4d25549dd7c4ee50aff743c0572886042bf95aa1940be00bf5101a47ea4ae91b674717c3354138c607fce76b82707fe5fd4625397d6cab3d609640b8a756

  • SSDEEP

    12288:r1m0nzfWIbJjGuXjo6XRmaHzTWz5ndd1agOjH0zaHuNiT3XIizm:r1mUzOIbJjGndWjUzCuNuHIizm

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3060
      • C:\Users\Admin\AppData\Local\Temp\78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55.exe
        "C:\Users\Admin\AppData\Local\Temp\78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4756
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD68E.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4972
            • C:\Users\Admin\AppData\Local\Temp\78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55.exe
              "C:\Users\Admin\AppData\Local\Temp\78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55.exe"
              4⤵
              • Executes dropped EXE
              PID:3600
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Drops startup file
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4924
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4836
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3908
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:628
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3972

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aD68E.bat
            Filesize

            722B

            MD5

            485f03e9680529355c26c0efcb742989

            SHA1

            a47b4911e3790c80f4b612fce190d0d813314ae3

            SHA256

            1a5f40dc1b6f956a5bb1fb2bc0a74194c8d35ffe37118d30a6f798ff4744b1fa

            SHA512

            d747c6d2284642d23068622c8cd9b0e8e625e255b8435a8096b8b0791950092fc8e7b6ff0424ee00b033066013db39271913bbfd97c07263bfe8e4950fa2d394

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55.exe
            Filesize

            504KB

            MD5

            b0e618e37fedfebb9eaa445aba228417

            SHA1

            bb3ad3af1d3e296e0c2fdea94ca9d2467904011c

            SHA256

            3511d060a67d2feefb9800a8e26f3da692cd18ee97e5782bce92b04ca7c6d42e

            SHA512

            7a2890ebb850b37f0bd7e196499e96b7af86a82d9e5a2a2ec06e4b37cb00c3785fa801ac95acd569b9fe351088e48d0027b81b4b5a6bd896fdcf27e3659ef1ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\78491034023643647b4983caa902e8e51b853f17931fa72e52f46e3af0fd6b55.exe.exe
            Filesize

            504KB

            MD5

            b0e618e37fedfebb9eaa445aba228417

            SHA1

            bb3ad3af1d3e296e0c2fdea94ca9d2467904011c

            SHA256

            3511d060a67d2feefb9800a8e26f3da692cd18ee97e5782bce92b04ca7c6d42e

            SHA512

            7a2890ebb850b37f0bd7e196499e96b7af86a82d9e5a2a2ec06e4b37cb00c3785fa801ac95acd569b9fe351088e48d0027b81b4b5a6bd896fdcf27e3659ef1ee

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            bad9e77116d96b4253fafc95f9e9151a

            SHA1

            54163e840c68b858e80e97794fbba77fed8ba739

            SHA256

            96aa286cec5ade5ea725554006db344831dcf34a5dad4eb52981485c4dd2408c

            SHA512

            633dd9b9635a77f27cb89e522ff6bb5ffa8adb311fa1ac4c5c7d4e4bb7f4157efc8380b19fed8e431a8f2eb79e887bc9c619f7fa1e92f7e7d91b5e9e7b07fb3a

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            bad9e77116d96b4253fafc95f9e9151a

            SHA1

            54163e840c68b858e80e97794fbba77fed8ba739

            SHA256

            96aa286cec5ade5ea725554006db344831dcf34a5dad4eb52981485c4dd2408c

            SHA512

            633dd9b9635a77f27cb89e522ff6bb5ffa8adb311fa1ac4c5c7d4e4bb7f4157efc8380b19fed8e431a8f2eb79e887bc9c619f7fa1e92f7e7d91b5e9e7b07fb3a

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            bad9e77116d96b4253fafc95f9e9151a

            SHA1

            54163e840c68b858e80e97794fbba77fed8ba739

            SHA256

            96aa286cec5ade5ea725554006db344831dcf34a5dad4eb52981485c4dd2408c

            SHA512

            633dd9b9635a77f27cb89e522ff6bb5ffa8adb311fa1ac4c5c7d4e4bb7f4157efc8380b19fed8e431a8f2eb79e887bc9c619f7fa1e92f7e7d91b5e9e7b07fb3a

            Download Submit

          • memory/628-143-0x0000000000000000-mapping.dmp

            Download

          • memory/2032-133-0x0000000000000000-mapping.dmp

            Download

          • memory/3600-148-0x0000000000000000-mapping.dmp

            Download

          • memory/3908-144-0x0000000000000000-mapping.dmp

            Download

          • memory/3972-145-0x0000000000000000-mapping.dmp

            Download

          • memory/4660-139-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4660-132-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4756-134-0x0000000000000000-mapping.dmp

            Download

          • memory/4836-140-0x0000000000000000-mapping.dmp

            Download

          • memory/4924-141-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4924-136-0x0000000000000000-mapping.dmp

            Download

          • memory/4924-150-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4972-135-0x0000000000000000-mapping.dmp

            Download