Overview

overview

7

Static

static

3

ea0c1b10a9...12.exe

windows7-x64

7

ea0c1b10a9...12.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/08/2023, 10:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112.exe

  • Size

    147KB

  • MD5

    00b535a495d62c234e7368001dfb3673

  • SHA1

    3ec51de07f072893c08b72f22f3621b119a4c502

  • SHA256

    ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112

  • SHA512

    cf6c821e4369c9cf8e51baf81afd8feaf99e21492f0fea743b16b2a52400bae5c34d2bf36924c62f9b9d2ff15cf6559e86dbe7d3fb437bea2b997e8bb91a190e

  • SSDEEP

    1536:2tXuRksrz8GvnGVT/igXrotyFD+ljb6e2s82qjUbb5d6ojOepel5:2JuRR8aYrFob8LjUbb5d6u6

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3156
      • C:\Users\Admin\AppData\Local\Temp\ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112.exe
        "C:\Users\Admin\AppData\Local\Temp\ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2736
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EA8.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Users\Admin\AppData\Local\Temp\ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112.exe
              "C:\Users\Admin\AppData\Local\Temp\ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112.exe"
              4⤵
              • Executes dropped EXE
              PID:1968
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3216
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1616
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4116
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4364
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3620

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  f38a5d409fad5fef8b0a2ccf71837ee2

                  SHA1

                  7a234891f91c8043e86afe9141a4ebb4f99eac1c

                  SHA256

                  1365498a31e7691222e0a6cfa28e15c6734b3b9630ba4f0820ccc6cfd654fc4b

                  SHA512

                  5e5640512dc13adf12717ed8accc510b738c076b418bc3d58920a5d49ac89936121124ab4aebd10f493c836b0f7657740708d5bae9fd22f5a7432adde57b1b58

                  Download Submit

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  491KB

                  MD5

                  ba26b564ef3cacce32fe09efba54d138

                  SHA1

                  eb1fef21937541a73d3b7a00d9684c76b97049d9

                  SHA256

                  fdf9f6d004e77f0cc676abf33a6f6f0887d5163aa0cdd9087e5f16df10a94ad2

                  SHA512

                  9414adb13a45d140b01c1cd35e793c28fef4b37bc0e28b5da9ee090761db7d0dd199a3a7e37970e09d29348cd20d97ec6fdbd0f92508290e58b349fc59d45ddf

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  b10dd190226eddfd063390b1bacadba5

                  SHA1

                  91415d7c037c419649f28be50f33f7cea8c2c1c3

                  SHA256

                  aeafcb5b19bbc0d61d0bcc5ee2dca7f885e116833384df9f8edee4975021396b

                  SHA512

                  db6857aca5fd32f41021c2889aba0571ae4046cb896a4ae470a6cb94dd557222172d70782e2537baaed16491c593c6a065d569b87dd891f8c69f0e5e3eba1bd2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a6EA8.bat
                  Filesize

                  722B

                  MD5

                  14679c90f47108e0ed3f9208d4922610

                  SHA1

                  77cde7022ba982bbc043f2854a92d5b72f95493c

                  SHA256

                  513f9195bb662d740896422221d47c106df73e8c8a1419aa87fad8fec9bf7c01

                  SHA512

                  b643d3790bc1c29d3cdfa6eeb69ac6a0603b4d4d574d5c7ed49de1c38cbb484f5a38f34ba141a52f54ad8344e00e63091b807ee108255c06d4c1c25115b52ffd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112.exe
                  Filesize

                  113KB

                  MD5

                  095dabb90bb0953800131fbcc6f6df5e

                  SHA1

                  9166e25e1fe27c3f92e642ec2fcc36e7c3b19216

                  SHA256

                  72f1979b588357e1b0dc3e6e9f9a368d2742f18bf1daab0ee94f26d6811f8a33

                  SHA512

                  041a008d96140a46aa89776fd11e64064b9cda9bd551747f59ae98ccfdff07af010061338655d4d07925f4e2a6c9fc3c79159cec2c9e055445f4b2ab1275152f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ea0c1b10a9afebc6743051403a27f5f77e07896d726a77107a11d7f4ad7f2112.exe.exe
                  Filesize

                  113KB

                  MD5

                  095dabb90bb0953800131fbcc6f6df5e

                  SHA1

                  9166e25e1fe27c3f92e642ec2fcc36e7c3b19216

                  SHA256

                  72f1979b588357e1b0dc3e6e9f9a368d2742f18bf1daab0ee94f26d6811f8a33

                  SHA512

                  041a008d96140a46aa89776fd11e64064b9cda9bd551747f59ae98ccfdff07af010061338655d4d07925f4e2a6c9fc3c79159cec2c9e055445f4b2ab1275152f

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  662bb334e5c14da91d5c32a823f99036

                  SHA1

                  a468d80c82a0a10df9a1c0bd632137d0589717d6

                  SHA256

                  9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

                  SHA512

                  d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  662bb334e5c14da91d5c32a823f99036

                  SHA1

                  a468d80c82a0a10df9a1c0bd632137d0589717d6

                  SHA256

                  9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

                  SHA512

                  d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

                  Download Submit

                • C:\Windows\rundl132.exe
                  Filesize

                  33KB

                  MD5

                  662bb334e5c14da91d5c32a823f99036

                  SHA1

                  a468d80c82a0a10df9a1c0bd632137d0589717d6

                  SHA256

                  9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

                  SHA512

                  d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-3195054982-4292022746-1467505928-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  9cf07741f0217a1c9b3d7efb195e326c

                  SHA1

                  1a3d9c17ea97cc6da370a7d9db4ba27dfac95967

                  SHA256

                  ffe1314ca6ae8d1ddea45361e73d0d8155ec1f97d389fe164934f126de5cf659

                  SHA512

                  48cec431954f6b7e29e356854a86f1253e622a968302ea2b6d021fb3788e98957e77f22a8d47866b79392ffda1ed0d8d42182a277c28ac7b98d36ad4153f0f25

                  Download Submit

                • memory/3216-141-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3216-150-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3216-1604-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3216-5330-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3216-8829-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3984-133-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3984-142-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download