Overview

overview

7

Static

static

3

4263f368a4...76.exe

windows7-x64

7

4263f368a4...76.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2023 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe

  • Size

    66KB

  • MD5

    df2e5ad69e194af7fb7269b85ed6c55c

  • SHA1

    9ee87dff1c42b0b11c10632b29fb9499a07638f6

  • SHA256

    4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976

  • SHA512

    cc2e7825707591bdef0de5147e003e592529594b9dbc4f98369bcdb7495b7c997805073a3688aba9579615c9de9cecae8ab104dd49f71c1ba1351a26f9c7188c

  • SSDEEP

    768:2tXuRZa+Vxr1x5cE9Fl5pz8w1rU9hFInlIUC4OMMwP3Sy6EGyI4t6a9AkHNXLrM:2tXuRksrz8GvnGUC4ayFGyHNXk

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1400
      • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe
        "C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2232
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9972.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe
              "C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe"
              4⤵
              • Executes dropped EXE
              PID:2960
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1520
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2404
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2876
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2736

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            f38a5d409fad5fef8b0a2ccf71837ee2

            SHA1

            7a234891f91c8043e86afe9141a4ebb4f99eac1c

            SHA256

            1365498a31e7691222e0a6cfa28e15c6734b3b9630ba4f0820ccc6cfd654fc4b

            SHA512

            5e5640512dc13adf12717ed8accc510b738c076b418bc3d58920a5d49ac89936121124ab4aebd10f493c836b0f7657740708d5bae9fd22f5a7432adde57b1b58

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            b10dd190226eddfd063390b1bacadba5

            SHA1

            91415d7c037c419649f28be50f33f7cea8c2c1c3

            SHA256

            aeafcb5b19bbc0d61d0bcc5ee2dca7f885e116833384df9f8edee4975021396b

            SHA512

            db6857aca5fd32f41021c2889aba0571ae4046cb896a4ae470a6cb94dd557222172d70782e2537baaed16491c593c6a065d569b87dd891f8c69f0e5e3eba1bd2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a9972.bat
            Filesize

            722B

            MD5

            dd81aa72276258f8f08a96a27d305aa6

            SHA1

            dc96592d0eaeebf7008c958279768f3c8756d875

            SHA256

            8a726a542acf677f6e644d148d6d3026aaf9aac5221b4826cc152704b154b56c

            SHA512

            86939b4cf7e4a2aad111047621822a3bf832aff3f38de906fbcefbd6d9bd58e5ee29552a4fc66f7d62b3bffc8ddbeba7566fda10067f197f7b2b221af6fd699c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a9972.bat
            Filesize

            722B

            MD5

            dd81aa72276258f8f08a96a27d305aa6

            SHA1

            dc96592d0eaeebf7008c958279768f3c8756d875

            SHA256

            8a726a542acf677f6e644d148d6d3026aaf9aac5221b4826cc152704b154b56c

            SHA512

            86939b4cf7e4a2aad111047621822a3bf832aff3f38de906fbcefbd6d9bd58e5ee29552a4fc66f7d62b3bffc8ddbeba7566fda10067f197f7b2b221af6fd699c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe
            Filesize

            33KB

            MD5

            bdbce90ce74990df3b2c7c8484dde146

            SHA1

            ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

            SHA256

            f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

            SHA512

            78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe.exe
            Filesize

            33KB

            MD5

            bdbce90ce74990df3b2c7c8484dde146

            SHA1

            ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

            SHA256

            f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

            SHA512

            78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            662bb334e5c14da91d5c32a823f99036

            SHA1

            a468d80c82a0a10df9a1c0bd632137d0589717d6

            SHA256

            9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

            SHA512

            d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            662bb334e5c14da91d5c32a823f99036

            SHA1

            a468d80c82a0a10df9a1c0bd632137d0589717d6

            SHA256

            9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

            SHA512

            d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            662bb334e5c14da91d5c32a823f99036

            SHA1

            a468d80c82a0a10df9a1c0bd632137d0589717d6

            SHA256

            9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

            SHA512

            d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            662bb334e5c14da91d5c32a823f99036

            SHA1

            a468d80c82a0a10df9a1c0bd632137d0589717d6

            SHA256

            9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

            SHA512

            d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-722410544-1258951091-1992882075-1000\_desktop.ini
            Filesize

            9B

            MD5

            9cf07741f0217a1c9b3d7efb195e326c

            SHA1

            1a3d9c17ea97cc6da370a7d9db4ba27dfac95967

            SHA256

            ffe1314ca6ae8d1ddea45361e73d0d8155ec1f97d389fe164934f126de5cf659

            SHA512

            48cec431954f6b7e29e356854a86f1253e622a968302ea2b6d021fb3788e98957e77f22a8d47866b79392ffda1ed0d8d42182a277c28ac7b98d36ad4153f0f25

            Download Submit

          • \Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe
            Filesize

            33KB

            MD5

            bdbce90ce74990df3b2c7c8484dde146

            SHA1

            ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

            SHA256

            f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

            SHA512

            78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

            Download Submit

          • memory/912-70-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/912-54-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/912-66-0x0000000000330000-0x0000000000370000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1400-80-0x0000000002740000-0x0000000002741000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2952-84-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2952-1520-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2952-3632-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2952-7435-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download