Overview

overview

7

Static

static

3

020c291cbb...a1.exe

windows7-x64

7

020c291cbb...a1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230824-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2023, 02:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    020c291cbb628776b895ebd222916df555a9e0c007734ff90f6139169bce46a1.exe

  • Size

    33KB

  • MD5

    72ed0e2976f30aa61129b9f0f1d64bc1

  • SHA1

    7210c917c05fe4fe6b768be7cdbf226c9e4ed487

  • SHA256

    020c291cbb628776b895ebd222916df555a9e0c007734ff90f6139169bce46a1

  • SHA512

    cfdab90f52140369404f7909af9681c8def5b51fdce8f37663155695f42973c4c13219e2deb8a706a9856c67a68b8ab41ac745419943da306b2034b08525f1d9

  • SSDEEP

    768:IfaDhO5RroZJ767395uINnEfDKBbUCp1OTZ+/V:Iihe+Zk77RNzLiTO

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3172
      • C:\Users\Admin\AppData\Local\Temp\020c291cbb628776b895ebd222916df555a9e0c007734ff90f6139169bce46a1.exe
        "C:\Users\Admin\AppData\Local\Temp\020c291cbb628776b895ebd222916df555a9e0c007734ff90f6139169bce46a1.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4472
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3088
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:1892

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                Filesize

                258KB

                MD5

                0297b595c74d99066e06310da89934f8

                SHA1

                8733f0b84f2ed56081d81bfc9039f559ce3fcd24

                SHA256

                cd91a744fd1dba9f290d8e08f2c74d803881e52391e3ee3493871f9114786582

                SHA512

                74fa4370821d02f6ba3c0e705661db61ab06c97b2fa0d4c010e91f777ba28adb602b4926eb45a7bf1b511ba504dfb6af49439a2d9f96e5c10aacd44ae43ff5a7

                Download Submit

              • C:\Program Files\Google\Chrome\Application\chrome.exe
                Filesize

                2.8MB

                MD5

                d7907dba56ce353e8541f9ce59ed574b

                SHA1

                e2e26931892bbbd12e6cfca2433a663eb7cbc2c0

                SHA256

                07182583add30c5e339b3435f08a20d2886557e556e08fd39df955e2eef0f779

                SHA512

                4588435837c48c6cd440c6ccdb9c9e8c83c993806481a7f31d690e1f360ce6410c0851c3cb96c7f035b62241d72df2bf6ea7f583f1a23a646674cd4038d9e7cf

                Download Submit

              • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                Filesize

                478KB

                MD5

                f5cd7b35ea5f0009cdb5355dbc356066

                SHA1

                c06af0b31cdebdc4e31d57f448acb174e5be44b7

                SHA256

                472ce6c84e17f672782a003fa17f8d412c85a25675f83d16b1a1fb7bfc085f6d

                SHA512

                89573e495959ad60f4a4079248f3cfb6991b8c700223538a269d7553baaacd6de837f26cfe1a4f6a6c0940b8d758406ae2d9e85f2e5738371c9025ea699a7d28

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-21-642304425-1816607141-2958861556-1000\_desktop.ini
                Filesize

                9B

                MD5

                2326d479b287193a70f520700dc8d23e

                SHA1

                afea66d3788a50debd6f5d4c9dd51f68a4477e64

                SHA256

                95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

                SHA512

                cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

                Download Submit

              • memory/1724-2-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-5-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-25-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-0-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-1686-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-3026-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-1-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-5758-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/1724-8352-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download