Overview

overview

7

Static

static

3

90d0112098...df.exe

windows7-x64

7

90d0112098...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2023, 02:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe

  • Size

    56KB

  • MD5

    79824ca337f527d6b6ae3220d6da6d96

  • SHA1

    2a010375c19c4844434f67071626615375c5a20c

  • SHA256

    90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df

  • SHA512

    c9c51aedaef022de16311fb6fe3d28e5150350a656dc877a653bb14aefaefb03b7de80589059d6bc15b46e6fdd9cd30a446bc58021916a6eb242ff581bf498ed

  • SSDEEP

    768:Ai4+Vxr1x5cE9Fl5pz8dc2G0QKFANeuXaunrA8M7A+eK+OJfZFd/bhifLGWrL0:Ai4srz8dOBN9aunrAdeK+UfZ/XWrI

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1296
      • C:\Users\Admin\AppData\Local\Temp\90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe
        "C:\Users\Admin\AppData\Local\Temp\90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2388
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7A4E.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Users\Admin\AppData\Local\Temp\90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe
              "C:\Users\Admin\AppData\Local\Temp\90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe"
              4⤵
              • Executes dropped EXE
              PID:2980
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2916
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2592
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2968
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2860

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  3d85e6d92ac7be70637f958dde2b011e

                  SHA1

                  de203840649525f16e0bca64ac03d6288a1b7316

                  SHA256

                  7d1496ae1660972107f77423879bcf3dbd8c4d4feed5690d8a756d1aadc5ded7

                  SHA512

                  7744e7e7570e10113f07b2f576679642a16269979978edac66a3e311171635dadc407d08533761e97231f77fc37684b6b7aca655b7d6a6d95fd4ac6764e34afd

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  f42c7fca4a74677fc3f9dff9c92bc66a

                  SHA1

                  485aefa513bd7cf9546571c9d5bbfaea2e2aa761

                  SHA256

                  a762874c0c4e1b60ae4dd0d93778af865eceff9edb71debfc90b7827cec0665f

                  SHA512

                  afd338ea3b920930eb18853143277705d7a481611d207c732bbaea188e289481c42f80a48af4d2712e823424d993346a01b148aa64583198e4dbf2bf75c791f4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a7A4E.bat
                  Filesize

                  722B

                  MD5

                  26e8dd3349de5c5595fdbaa359f7e4ca

                  SHA1

                  a5b614fac62a8c3a55b8e3ce7bd6fe5ec539504d

                  SHA256

                  daf377a1154a15deb9d1bf0553b08ae768920364d6491dbcdd9280fec79989b3

                  SHA512

                  edef9d1f00269aa39a0403341c556594d08eda43e14a9bb2d818e693e9e139e86c1efe556cf6d40e03ba71facdbc14dfb822d00c7f6e69e6b994011c1e253f09

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a7A4E.bat
                  Filesize

                  722B

                  MD5

                  26e8dd3349de5c5595fdbaa359f7e4ca

                  SHA1

                  a5b614fac62a8c3a55b8e3ce7bd6fe5ec539504d

                  SHA256

                  daf377a1154a15deb9d1bf0553b08ae768920364d6491dbcdd9280fec79989b3

                  SHA512

                  edef9d1f00269aa39a0403341c556594d08eda43e14a9bb2d818e693e9e139e86c1efe556cf6d40e03ba71facdbc14dfb822d00c7f6e69e6b994011c1e253f09

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe
                  Filesize

                  22KB

                  MD5

                  b2f7631fe9ac1f6eb4f276bd7259626c

                  SHA1

                  ca1147287b78e3a15d30654a47b37c9aba2b4767

                  SHA256

                  23a59a0acd84d07313d6ea78fcf7f629ecdc93ae0c32574c73ef1a467f2831b5

                  SHA512

                  aa7e3e9ea219d64c1f9dbca0095968087574dea92e466139c2c8a19d03c1341b53191077504fc07366ceb6bd46323b8f95c454b7a0103e27c939622b0e0a0f6e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe.exe
                  Filesize

                  22KB

                  MD5

                  b2f7631fe9ac1f6eb4f276bd7259626c

                  SHA1

                  ca1147287b78e3a15d30654a47b37c9aba2b4767

                  SHA256

                  23a59a0acd84d07313d6ea78fcf7f629ecdc93ae0c32574c73ef1a467f2831b5

                  SHA512

                  aa7e3e9ea219d64c1f9dbca0095968087574dea92e466139c2c8a19d03c1341b53191077504fc07366ceb6bd46323b8f95c454b7a0103e27c939622b0e0a0f6e

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  4b8d5611897671cb722c88a92fea57cd

                  SHA1

                  d2bd76334c02d3aff4a8dfe3477162c85f8c14c9

                  SHA256

                  0a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2

                  SHA512

                  821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  4b8d5611897671cb722c88a92fea57cd

                  SHA1

                  d2bd76334c02d3aff4a8dfe3477162c85f8c14c9

                  SHA256

                  0a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2

                  SHA512

                  821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  4b8d5611897671cb722c88a92fea57cd

                  SHA1

                  d2bd76334c02d3aff4a8dfe3477162c85f8c14c9

                  SHA256

                  0a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2

                  SHA512

                  821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8

                  Download Submit

                • C:\Windows\rundl132.exe
                  Filesize

                  33KB

                  MD5

                  4b8d5611897671cb722c88a92fea57cd

                  SHA1

                  d2bd76334c02d3aff4a8dfe3477162c85f8c14c9

                  SHA256

                  0a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2

                  SHA512

                  821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-4219371764-2579186923-3390623117-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  16548fefb55deef0a354259a11e1cc14

                  SHA1

                  6e4f38c24333eb1c8bcc91e4e4042ce600a44c4f

                  SHA256

                  f6d78c8a802bfc4dded630ac9f8d33fb335ab11d45bb742fac993f8d42ea327c

                  SHA512

                  1fcd0a93c383bf38b97073a84ac50c78149cd1160299e71676fc5a3a6f655affac3a0e2433cf5bc4c145cda0ec44a23d13e1da953e15feefb0b9cefd84204271

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\90d01120986105bf2fa67985717cdb1d8a3c85a98182c5554eb8518b834c13df.exe
                  Filesize

                  22KB

                  MD5

                  b2f7631fe9ac1f6eb4f276bd7259626c

                  SHA1

                  ca1147287b78e3a15d30654a47b37c9aba2b4767

                  SHA256

                  23a59a0acd84d07313d6ea78fcf7f629ecdc93ae0c32574c73ef1a467f2831b5

                  SHA512

                  aa7e3e9ea219d64c1f9dbca0095968087574dea92e466139c2c8a19d03c1341b53191077504fc07366ceb6bd46323b8f95c454b7a0103e27c939622b0e0a0f6e

                  Download Submit

                • memory/1296-81-0x0000000002710000-0x0000000002711000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2220-54-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2220-69-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2220-70-0x00000000003C0000-0x0000000000400000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2844-85-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2844-1849-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2844-73-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2844-4103-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download