Overview

overview

8

Static

static

03025961df...4d.exe

windows7-x64

8

03025961df...4d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2022, 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe

  • Size

    225KB

  • MD5

    1af6ad49800017ea9fa86be06d632dca

  • SHA1

    b4fed53e9e711b33ce5279ba43432f0834e4ba1c

  • SHA256

    03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d

  • SHA512

    015f09e2482e5e8e061f623ef6a5f78b6ab3ff4c03f4d0fb03bbb8f1fff7d0da28288eab97cd51e7d739212bfe746db3a625045bad3e2cefaad572d953196707

  • SSDEEP

    6144:P46tGdyXLNVm07cXkokwGb0+4F1hbtJY:P3NXrm07cXkoNGb0+47h/Y

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe
    "C:\Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        3⤵
          PID:1452
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4358.bat
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe
          "C:\Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe"
          3⤵
          • Executes dropped EXE
          PID:1644
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:968
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:728
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:1260
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:1244

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a4358.bat
            Filesize

            722B

            MD5

            5b5ca4bf27553db6bbc805a3e7666804

            SHA1

            a4de8b330b0429deaec74393281310a780d44afe

            SHA256

            5a152d4eab6dddf0dc7995cff4c6b97bdc0631add0025d77e4bf5b533aab4ffa

            SHA512

            f4c47c32e4dd3f5693c3c4ca53a00725c29cf1078163ee477041cc29c7cc8da4af1d6ffc0afeb1b55cd8a7fa5479c64669ed0c992fee8e11e832adc2a15181d2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe
            Filesize

            192KB

            MD5

            42e830b29f527351e61ff2520b8e2178

            SHA1

            07ed65049ab272cd5592d8bb8999623b7b8e62e4

            SHA256

            24ef80921c15af3fb368437ff45f80d7842bafefd6212340022e2c1229f0e39f

            SHA512

            adfe1390f298a81f16a9de3925733ce9914fecd77a86f360cbe43d2394f2e5e52865a30c9bd122ba1247ea1f3cef63b0e63bb3a0212f5f78eba32e5a0f616ad6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe.exe
            Filesize

            192KB

            MD5

            42e830b29f527351e61ff2520b8e2178

            SHA1

            07ed65049ab272cd5592d8bb8999623b7b8e62e4

            SHA256

            24ef80921c15af3fb368437ff45f80d7842bafefd6212340022e2c1229f0e39f

            SHA512

            adfe1390f298a81f16a9de3925733ce9914fecd77a86f360cbe43d2394f2e5e52865a30c9bd122ba1247ea1f3cef63b0e63bb3a0212f5f78eba32e5a0f616ad6

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            f6ae3b89cbfac7b41e0e550c7faa0949

            SHA1

            89fe0e03f1ba8705f84801a391e8d854c861e886

            SHA256

            715ddac7c2eefca4d6412f05652d0c427ec0bdd5903f4b8c3e156775c2d8e52d

            SHA512

            2898a8124f6b3800d2d964669c1e8c9875f03d57496c229df6d56e8bdf73c8cc1ab3c6630a6ce35bf796be76329cf9c1c127ebe04884a5139d37b589481f70c0

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            f6ae3b89cbfac7b41e0e550c7faa0949

            SHA1

            89fe0e03f1ba8705f84801a391e8d854c861e886

            SHA256

            715ddac7c2eefca4d6412f05652d0c427ec0bdd5903f4b8c3e156775c2d8e52d

            SHA512

            2898a8124f6b3800d2d964669c1e8c9875f03d57496c229df6d56e8bdf73c8cc1ab3c6630a6ce35bf796be76329cf9c1c127ebe04884a5139d37b589481f70c0

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            f6ae3b89cbfac7b41e0e550c7faa0949

            SHA1

            89fe0e03f1ba8705f84801a391e8d854c861e886

            SHA256

            715ddac7c2eefca4d6412f05652d0c427ec0bdd5903f4b8c3e156775c2d8e52d

            SHA512

            2898a8124f6b3800d2d964669c1e8c9875f03d57496c229df6d56e8bdf73c8cc1ab3c6630a6ce35bf796be76329cf9c1c127ebe04884a5139d37b589481f70c0

            Download Submit

          • \Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe
            Filesize

            192KB

            MD5

            42e830b29f527351e61ff2520b8e2178

            SHA1

            07ed65049ab272cd5592d8bb8999623b7b8e62e4

            SHA256

            24ef80921c15af3fb368437ff45f80d7842bafefd6212340022e2c1229f0e39f

            SHA512

            adfe1390f298a81f16a9de3925733ce9914fecd77a86f360cbe43d2394f2e5e52865a30c9bd122ba1247ea1f3cef63b0e63bb3a0212f5f78eba32e5a0f616ad6

            Download Submit

          • \Users\Admin\AppData\Local\Temp\03025961df195270d9cda9596baf8c82d1b05d7afc7965af94cce26e2bb0864d.exe
            Filesize

            192KB

            MD5

            42e830b29f527351e61ff2520b8e2178

            SHA1

            07ed65049ab272cd5592d8bb8999623b7b8e62e4

            SHA256

            24ef80921c15af3fb368437ff45f80d7842bafefd6212340022e2c1229f0e39f

            SHA512

            adfe1390f298a81f16a9de3925733ce9914fecd77a86f360cbe43d2394f2e5e52865a30c9bd122ba1247ea1f3cef63b0e63bb3a0212f5f78eba32e5a0f616ad6

            Download Submit

          • memory/1240-70-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1240-74-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1932-56-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1932-60-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download