Overview

overview

7

Static

static

bdd47349c9...8b.exe

windows7-x64

6

bdd47349c9...8b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    168s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdd47349c9e0764d2b83d2819d27607ee1ef07c17a1f18c8cdfc38b85e6dde8b.exe

  • Size

    33KB

  • MD5

    86145837a7c8fa76b1d1c5036080f277

  • SHA1

    267ca0bcdb2f8c5ff627d896b27f604b1d6c24b4

  • SHA256

    bdd47349c9e0764d2b83d2819d27607ee1ef07c17a1f18c8cdfc38b85e6dde8b

  • SHA512

    307809e4cbb78484e8b59f2c4f5778a8235a0684fbd0ad2fb7e9ea5d301ac42962f8c835f3fafc57093c6b5eb138ff94677e389d67a9807ca75599302be6f127

  • SSDEEP

    768:yQO5RroZJ76739sBWsI55uPquQ8W88nvlIq/J8:yQe+Zk78I5IvEnvlIq

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\bdd47349c9e0764d2b83d2819d27607ee1ef07c17a1f18c8cdfc38b85e6dde8b.exe
        "C:\Users\Admin\AppData\Local\Temp\bdd47349c9e0764d2b83d2819d27607ee1ef07c17a1f18c8cdfc38b85e6dde8b.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:908
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:4752

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/908-134-0x0000000000000000-mapping.dmp

          Download

        • memory/1592-133-0x0000000000000000-mapping.dmp

          Download

        • memory/4536-132-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4536-137-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4752-136-0x0000000000000000-mapping.dmp

          Download

        • memory/4812-135-0x0000000000000000-mapping.dmp

          Download