Overview

overview

8

Static

static

8

fafd817fab...90.exe

windows7-x64

8

fafd817fab...90.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe

  • Size

    114KB

  • MD5

    28c9e6411eb87ddd16f683076b586c40

  • SHA1

    24dfdefc5f7b07cc78a1dd3ade37f9b4d8b1f2d7

  • SHA256

    fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490

  • SHA512

    93925dfed1f7801a5e546ad2cedb2f1e9f988701a2de05cfd1ccddcc1a171d21952ca7b921534596478a98ae1ebaec1b9ba2485487f18a830692b25cecf035f2

  • SSDEEP

    3072:nKllQobyP8ebgcffWqPL1/7w6ZAs+VBK:nKllrbBzm7QV

Score
8/10
spywarestealerupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe
        "C:\Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:892
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a417.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:960
            • C:\Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe
              "C:\Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe"
              4⤵
              • Executes dropped EXE
              PID:1352
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:624
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:836
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1868
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1192

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a417.bat
            Filesize

            721B

            MD5

            747edc63dfb4689b98ad036c0c9c99c6

            SHA1

            99deeab1ca26a4475160da24f132c4038886f2ed

            SHA256

            5ab2fe808e68638d46eed3f5ef6c496709b7a864fefdc59357883ab90f59d56a

            SHA512

            1b9c6435831de9c3c069550af3691c56f1f6a30c13dfc27360b63f4c484eec85364356a4da85b0be384572c8cb2902809dde1496c536f708db5b2c4737f72364

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe
            Filesize

            76KB

            MD5

            f8a069e7d2bb8868cea4def627cde6e9

            SHA1

            25f64b33dd8d98766e12272aab10f6c44cd00d0f

            SHA256

            5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

            SHA512

            67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe.exe
            Filesize

            76KB

            MD5

            f8a069e7d2bb8868cea4def627cde6e9

            SHA1

            25f64b33dd8d98766e12272aab10f6c44cd00d0f

            SHA256

            5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

            SHA512

            67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            38KB

            MD5

            db7f97e061fda5b5ca7a176fa6dc44ea

            SHA1

            54c4ad0fef6e66887f538b352293f92cc612fd81

            SHA256

            a919e2e5a25a269e84e0e30daf919db1804720926a8ab5b59e78fdc8cad14817

            SHA512

            a1deb06d493eb1a8ee9c8959560d606fa686c48c460357ee2c7bdeee0542132515d269bb3d5c91dd09496042676100428f3fbc5c1dceb8e5c7a661bd77d4cc22

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            38KB

            MD5

            db7f97e061fda5b5ca7a176fa6dc44ea

            SHA1

            54c4ad0fef6e66887f538b352293f92cc612fd81

            SHA256

            a919e2e5a25a269e84e0e30daf919db1804720926a8ab5b59e78fdc8cad14817

            SHA512

            a1deb06d493eb1a8ee9c8959560d606fa686c48c460357ee2c7bdeee0542132515d269bb3d5c91dd09496042676100428f3fbc5c1dceb8e5c7a661bd77d4cc22

            Download Submit

          • \Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe
            Filesize

            76KB

            MD5

            f8a069e7d2bb8868cea4def627cde6e9

            SHA1

            25f64b33dd8d98766e12272aab10f6c44cd00d0f

            SHA256

            5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

            SHA512

            67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

            Download Submit

          • \Users\Admin\AppData\Local\Temp\fafd817fab4bb6f570667c14f5eb20555887d94ebddf4e7e5a3431f5ffde1490.exe
            Filesize

            76KB

            MD5

            f8a069e7d2bb8868cea4def627cde6e9

            SHA1

            25f64b33dd8d98766e12272aab10f6c44cd00d0f

            SHA256

            5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

            SHA512

            67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

            Download Submit

          • memory/1584-70-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1584-73-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1800-56-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/1800-60-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download