Overview

overview

7

Static

static

3

41f3e15671...c2.exe

windows7-x64

7

41f3e15671...c2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2023 02:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41f3e1567129d7140ecdbcea7b2da2a155abef882ee05327c754fc7d7eb154c2.exe

  • Size

    33KB

  • MD5

    24431670323eafb026105fd8cece839d

  • SHA1

    9402f2e690d364339466a177c0ba44da8d5b1f64

  • SHA256

    41f3e1567129d7140ecdbcea7b2da2a155abef882ee05327c754fc7d7eb154c2

  • SHA512

    b03f736432002ae089e742d851a4b0b1cdf819d864db4f2f05edda79159cf22600f961d71ce0330b4c86611c060e13533e3dcbc2bf5abc9e4c8fb450780187c7

  • SSDEEP

    768:VSfKHhO5RroZJ767395uINv6v+stOLzyGOzEWF3vXVkSGN2EO:VSiHhe+Zk77RNyvb0LzszE83C8

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3080
      • C:\Users\Admin\AppData\Local\Temp\41f3e1567129d7140ecdbcea7b2da2a155abef882ee05327c754fc7d7eb154c2.exe
        "C:\Users\Admin\AppData\Local\Temp\41f3e1567129d7140ecdbcea7b2da2a155abef882ee05327c754fc7d7eb154c2.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4532
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:1756

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          abdacffbadaea7b37b8f54cf0803a1da

          SHA1

          0d264b54ee704fc56026c87f91aca56feddd6e97

          SHA256

          f1184cc500de53756a4bf86cf32693d96579d6595bc72f29daeceacc01038f8e

          SHA512

          bc86938fec1b597c2ebbe6b66863dd7dde9ff47211bba7b9e98fdd1b173f4cddd31fca09b3979adc02d3bd69fcab9d14f3a6bb50949b9672be124b78710901a7

          Download Submit

        • C:\Program Files\Google\Chrome\Application\chrome.exe
          Filesize

          2.8MB

          MD5

          e060f028f0046cb1f35b5dd8c8a9fba4

          SHA1

          af917a4f237e9f2d414041c702964034147c3eaf

          SHA256

          429d046b4d162b2335e0a7e463324211271fc428661eff3249c77e6d777f1dc8

          SHA512

          78d51f14a541f2ef4393fe3ea01d5c1788c691a596fed61d207effbf31dab4d27f3884cd97e04e9def7f4f37b91637dd30dde5c986fa31c117b6f9ad636b12b1

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          26c030ec0225cb4765d6fa990a4334a2

          SHA1

          a52e08716fca11ce2f3273228cc3cd0af5dc6542

          SHA256

          eb4fc068639dde0bf3fc179870a50bce85801269e46d93c98462a9c0fec1575f

          SHA512

          7e1187018a2d576d20684b43a4d07dbb5287f35752c4e8d3d43e8edd7b6f938254163c14f74ad085c1a79e588c3a45a436aac169f4aebf6ec5661032f2cef503

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\_desktop.ini
          Filesize

          9B

          MD5

          2326d479b287193a70f520700dc8d23e

          SHA1

          afea66d3788a50debd6f5d4c9dd51f68a4477e64

          SHA256

          95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

          SHA512

          cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

          Download Submit

        • memory/3460-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3460-3-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3460-857-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3460-3431-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3460-7614-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3460-8726-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download