Overview

overview

9

Static

static

c45650e5fd...3e.exe

windows7-x64

9

c45650e5fd...3e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe

  • Size

    106KB

  • MD5

    6c55f1cdd2ec67568a8b2e7222951149

  • SHA1

    422c7f0655a7ceff4860b7031efc48dfa4198098

  • SHA256

    c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e

  • SHA512

    8f008b4e928f41d984d9e4acaca2e526422430afa73dda0aa249c8c430cdaf0fd69e97bd70d2bd8949b98023b3d8899171db9242638e8e032a91e6ccd5b46eeb

  • SSDEEP

    1536:27qnkAQtSaoGo5n4iLG0/WM6HGHSaYqemmjxi2uC+ysafJzRKUrawr55WYsf:nCSjGoLpWM6slmjxNu4JBzRKUrag+f

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe
        "C:\Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1576
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9C02.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1380
            • C:\Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe
              "C:\Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe"
              4⤵
              • Executes dropped EXE
              • Modifies WinLogon
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1448
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                5⤵
                • Loads dropped DLL
                PID:1756
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1504
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:332
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:268
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1308

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a9C02.bat
            Filesize

            722B

            MD5

            60852ab0efe2d92f2d23a8c38533b900

            SHA1

            1645da2e9cd9eaae6c850798064893d7d0e85c54

            SHA256

            f41af76e91fe823fa93caa70d1d46979abd0dbaa8b31a3f57b17cae843d63ab5

            SHA512

            fb29c52ac6c0f4c2ded5bd8491f03b2a32bbb19dddb5c5b5caaeba174429c427fb791e33484576cd960895a4e6b4dea76b834aacfcf313efeded9ba5ae6fa159

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe
            Filesize

            13KB

            MD5

            1ea4fe4ad39736382af117487b7a7beb

            SHA1

            8ef35237d698ffb6934d79e9a1cc6c1d9d0bf853

            SHA256

            37ebb9e2a2675b32788ffa4c16728c49ccbda7998f3c97b1d2ffe4fc1f15a1e6

            SHA512

            78848e2f2e68416986ffea3839bc5955b912ddfcc9d259af1bd83006722e0d0404eb3bce78f8c2cfb7a40ac70b73b31078fb4f6d541baa9b4a18726e5a803652

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe.exe
            Filesize

            13KB

            MD5

            1ea4fe4ad39736382af117487b7a7beb

            SHA1

            8ef35237d698ffb6934d79e9a1cc6c1d9d0bf853

            SHA256

            37ebb9e2a2675b32788ffa4c16728c49ccbda7998f3c97b1d2ffe4fc1f15a1e6

            SHA512

            78848e2f2e68416986ffea3839bc5955b912ddfcc9d259af1bd83006722e0d0404eb3bce78f8c2cfb7a40ac70b73b31078fb4f6d541baa9b4a18726e5a803652

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            93KB

            MD5

            4812c27e497de8c92c4a81863796caae

            SHA1

            392223229195aff1c13383d87e2650288091cda9

            SHA256

            b34edb82a325d51d912bdc6fe03bbc17fe7c3bf6a5bf830882197c81ca61b41f

            SHA512

            949016e5a7fb80df83876cc7d31d71b70cd1c1c7e576eb33de8922c4f724e52f93886f3fdb54538fdb94aafa387203917f4f78590f0e8d14e8b1a3ce24a7787a

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            93KB

            MD5

            4812c27e497de8c92c4a81863796caae

            SHA1

            392223229195aff1c13383d87e2650288091cda9

            SHA256

            b34edb82a325d51d912bdc6fe03bbc17fe7c3bf6a5bf830882197c81ca61b41f

            SHA512

            949016e5a7fb80df83876cc7d31d71b70cd1c1c7e576eb33de8922c4f724e52f93886f3fdb54538fdb94aafa387203917f4f78590f0e8d14e8b1a3ce24a7787a

            Download Submit

          • C:\Windows\SysWOW64\sysfldr.dll
            Filesize

            12KB

            MD5

            b830ffb0a85b0a5eaef1467d5a591b6c

            SHA1

            0055719482e5caae2f825c3393e6db4bb4e97c56

            SHA256

            4488db889c9cb64a0777e178a6421f6521ebed22d00b7813877ce8e0277223d2

            SHA512

            8fda6024a3bd39566c0cb44c274b87dc0baf6ec35f94c45fc3ce94896df5e0d42efcfaaa42cb502aa0a3e70cfc6fd0a2d9e96ccfc6d8d86ee81050e601fdcf7b

            Download Submit

          • C:\Windows\uninstall\rundl132.exe
            Filesize

            93KB

            MD5

            4812c27e497de8c92c4a81863796caae

            SHA1

            392223229195aff1c13383d87e2650288091cda9

            SHA256

            b34edb82a325d51d912bdc6fe03bbc17fe7c3bf6a5bf830882197c81ca61b41f

            SHA512

            949016e5a7fb80df83876cc7d31d71b70cd1c1c7e576eb33de8922c4f724e52f93886f3fdb54538fdb94aafa387203917f4f78590f0e8d14e8b1a3ce24a7787a

            Download Submit

          • \Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe
            Filesize

            13KB

            MD5

            1ea4fe4ad39736382af117487b7a7beb

            SHA1

            8ef35237d698ffb6934d79e9a1cc6c1d9d0bf853

            SHA256

            37ebb9e2a2675b32788ffa4c16728c49ccbda7998f3c97b1d2ffe4fc1f15a1e6

            SHA512

            78848e2f2e68416986ffea3839bc5955b912ddfcc9d259af1bd83006722e0d0404eb3bce78f8c2cfb7a40ac70b73b31078fb4f6d541baa9b4a18726e5a803652

            Download Submit

          • \Users\Admin\AppData\Local\Temp\c45650e5fde32af262f2ab4606998513b70b63850293b51795e190a6a6ac463e.exe
            Filesize

            13KB

            MD5

            1ea4fe4ad39736382af117487b7a7beb

            SHA1

            8ef35237d698ffb6934d79e9a1cc6c1d9d0bf853

            SHA256

            37ebb9e2a2675b32788ffa4c16728c49ccbda7998f3c97b1d2ffe4fc1f15a1e6

            SHA512

            78848e2f2e68416986ffea3839bc5955b912ddfcc9d259af1bd83006722e0d0404eb3bce78f8c2cfb7a40ac70b73b31078fb4f6d541baa9b4a18726e5a803652

            Download Submit

          • \Windows\SysWOW64\sysfldr.dll
            Filesize

            12KB

            MD5

            b830ffb0a85b0a5eaef1467d5a591b6c

            SHA1

            0055719482e5caae2f825c3393e6db4bb4e97c56

            SHA256

            4488db889c9cb64a0777e178a6421f6521ebed22d00b7813877ce8e0277223d2

            SHA512

            8fda6024a3bd39566c0cb44c274b87dc0baf6ec35f94c45fc3ce94896df5e0d42efcfaaa42cb502aa0a3e70cfc6fd0a2d9e96ccfc6d8d86ee81050e601fdcf7b

            Download Submit

          • memory/1448-67-0x0000000076041000-0x0000000076043000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1756-72-0x0000000013140000-0x000000001314B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1756-77-0x0000000013140000-0x000000001314B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1756-78-0x0000000010000000-0x000000001000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1756-80-0x0000000010000000-0x000000001000E000-memory.dmp

            Filesize

            56KB

            Download