Overview

overview

7

Static

static

3

43575383ec...78.exe

windows7-x64

7

43575383ec...78.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/08/2023, 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778.exe

  • Size

    251KB

  • MD5

    41059b4dd25460dd30f1e701cf63122e

  • SHA1

    0d50b07ec0645c8d961edd752d3705bbf2b490cb

  • SHA256

    43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778

  • SHA512

    560b340d1c00d0c4e18a4a649b6c141386398b4ae49439f05a5bef09dd2adadba9e312d628efbd7275b14b9ac53bafefcd27624ff7b404939fc4ee941f14b435

  • SSDEEP

    6144:BI4+aX3gBQZbO5JCSZT0wwla4G13CmdxLzI9LTB5xnmT:l+aRbuJcfcXbz0Tfxo

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3136
      • C:\Users\Admin\AppData\Local\Temp\43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778.exe
        "C:\Users\Admin\AppData\Local\Temp\43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:412
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3228
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E67.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1672
            • C:\Users\Admin\AppData\Local\Temp\43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778.exe
              "C:\Users\Admin\AppData\Local\Temp\43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778.exe"
              4⤵
              • Executes dropped EXE
              PID:2572
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:220
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1444
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3912
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1772
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2148

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            867140655369703de1d7684659b73119

            SHA1

            a7a0716dbc9cb0a32469ba9c7e295d80bf268a83

            SHA256

            bca1c6682f0a0557d68eb653742df115318bdb5a03ba4547b287ca344886b35f

            SHA512

            c3a8080273f39f9008370e6adec946e10641d60933c529197207756cce995a306fc2dc39eccb85493ceda12e6124ca92961b4aa0a81f7cd8d708a6ce3e4f0eab

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            491KB

            MD5

            53e18fcf860f8d0a82b6c03b9390e09e

            SHA1

            417d5052627f9e0c68a31e3c172dde056fbddc2a

            SHA256

            114c4aadf7e1c377f9503df8317ea3de8e44fb2ef25047ddb902c1ebc0ca080b

            SHA512

            8c30d779e4a075e37474b5b45e4e80d40b90cd5319059185f22dd78b54c62233d27673a299c129d3743b6fada81b92d491590d23e6b8f8687205ceb428e1cd91

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            0a71d731679d29833a636a9e044d179c

            SHA1

            78b1e5c1a6a49b09ae6b19389d6855e868f71285

            SHA256

            648c51d0ab8896438ac4fdecea9badc8d6f55b85f7b4727d935f127bb8d161e6

            SHA512

            cdf7fe2c37fa187e34c4ff013eac10c2c6c724f0e107847bbe078810e26138124d7b404d4f0ce9e154509c01b8e4c86a86a2f708edc82f8861de83c080d0c4e9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a7E67.bat
            Filesize

            722B

            MD5

            8135f9fd595681915eae7de6b369b205

            SHA1

            f67456f0b08191f60d9280910b58f321a262ad17

            SHA256

            0ad6edce1cfa13cbe593e8b746e7249b9e4fd020371a8b0b9d42ee41ab036985

            SHA512

            329ce1f01c9e1f8649706a7afed44d17e1c0d542562850ddc26676140fedd63f0e8a6700720f2ed6226866460f11e64993484ce19275119a4b47e5ba932d99e9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778.exe
            Filesize

            218KB

            MD5

            5f1707646575d375c50155832477a437

            SHA1

            9bcba378189c2f1cb00f82c0539e0e9b8ff0b6c1

            SHA256

            75d348a3330bc527b2b2ff8a0789f711bd51461126f8df0c0aa1647e9d976809

            SHA512

            2f55dd13abfeb5af133ac5afb43c90fd10618e8fb241f50529241cff7987fff382cf151146855c37ad8ae0401b34f6d9aa32cbec03cdd67a224dfe247bad6c99

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\43575383ec8b05c097f90373dfe8486212a968d8ab381e45b42c6f7f662de778.exe.exe
            Filesize

            218KB

            MD5

            5f1707646575d375c50155832477a437

            SHA1

            9bcba378189c2f1cb00f82c0539e0e9b8ff0b6c1

            SHA256

            75d348a3330bc527b2b2ff8a0789f711bd51461126f8df0c0aa1647e9d976809

            SHA512

            2f55dd13abfeb5af133ac5afb43c90fd10618e8fb241f50529241cff7987fff382cf151146855c37ad8ae0401b34f6d9aa32cbec03cdd67a224dfe247bad6c99

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            33f5a3f989229558b91469f2b9428fac

            SHA1

            87f21576e885ebca692e6c047c802837b400c86d

            SHA256

            c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

            SHA512

            825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            33f5a3f989229558b91469f2b9428fac

            SHA1

            87f21576e885ebca692e6c047c802837b400c86d

            SHA256

            c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

            SHA512

            825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            33f5a3f989229558b91469f2b9428fac

            SHA1

            87f21576e885ebca692e6c047c802837b400c86d

            SHA256

            c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

            SHA512

            825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3195054982-4292022746-1467505928-1000\_desktop.ini
            Filesize

            9B

            MD5

            ec7139d5bb99bcebaf0b91c58a9ec5aa

            SHA1

            70404362dd74e309722fd282c3492ec95674123c

            SHA256

            eb17ae1b1de9e95e0d159893048f2de5c1c158467e768cc0ddbaa517c45e0582

            SHA512

            b0114d8f74b17836819b750cff2b590b652e04bb2dc0e9dc8bffac7ed66bd9ded03cd35abc7fc0fcd0127a994c283dcd162e97e6dd76f5a903ff59e4951dfc48

            Download Submit

          • memory/220-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/220-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/220-1429-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/220-4393-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/220-7881-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/220-8736-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2096-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2096-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download