Overview

overview

7

Static

static

3

1388e15551...42.exe

windows7-x64

7

1388e15551...42.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2023, 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1388e15551fca38108c55b7ea702287fbd9efee7c715b441105ad5abb9bbc942.exe

  • Size

    33KB

  • MD5

    a9959919840b7ffb07bc9cdd141ad8be

  • SHA1

    b54464f1582632cb82d928c6bd94481a6b2a48e7

  • SHA256

    1388e15551fca38108c55b7ea702287fbd9efee7c715b441105ad5abb9bbc942

  • SHA512

    6680f47a83a0a92269268c58c352469b1e401caf8f8bf36287bc1799a82f516bf485a50c948103354e847fe4445692092f7416093436649bb0ab81859790fdea

  • SSDEEP

    768:G0O5RroZJ76739sBWs/ywofj5JWSIf5A:G0e+Zk78/yXTWSIfm

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\1388e15551fca38108c55b7ea702287fbd9efee7c715b441105ad5abb9bbc942.exe
        "C:\Users\Admin\AppData\Local\Temp\1388e15551fca38108c55b7ea702287fbd9efee7c715b441105ad5abb9bbc942.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2288
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2240

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          a284ebb058391e9aad1b1bc2892562fb

          SHA1

          7dd73996b8cb06687f24531f08cfb3897319dc20

          SHA256

          f3e3fcc38fe81ba5d1b1661a2127e45b2906f5dc05c3478f99c3b746a56752a4

          SHA512

          de8151425e5d1040d6a9dc039818cee2b708d9a131c86a263f38aa6db73e822d66aeaee3e95bf63d2454335a30adbe2f5dfab83cd6d9d71d603aed935f808bcb

          Download Submit

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          601KB

          MD5

          38e61ee30d273bf7e657fb3e256aeb29

          SHA1

          a3abe5000be4df0dd0e3eb54eab20c4ece5bcc5a

          SHA256

          d7e8d3c9beab6ece4eb9841a8b00c109ca66a610b887c76fc13781bf60c8d93a

          SHA512

          ce152ea1f3a7cbf87686e87ee0e36e52fbd09405eaeea93a8964b6ff52a4fd756c6368a0adc2ba2888f70ff40186e78f09b090e2063c34e1f7c0346ad868f75b

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          b2d9ffe4a58ce2dd60495cf16c59dbfd

          SHA1

          f76c28267f4217c2a4a767a13d26f90e732871e4

          SHA256

          bf1db605718014820b545380ff09b44ffe13790443d9ccbd1b2712e83b783ea2

          SHA512

          60cb3e14e8d53e7e710668b4459644a3b3349fffd0550588a8637ce3976245fcfce75fd9cb7862341525ed0054cd1c5aabd1b01462e0b5d64cc4527df09a9e70

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-722410544-1258951091-1992882075-1000\_desktop.ini
          Filesize

          9B

          MD5

          2326d479b287193a70f520700dc8d23e

          SHA1

          afea66d3788a50debd6f5d4c9dd51f68a4477e64

          SHA256

          95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

          SHA512

          cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

          Download Submit

        • memory/1364-3-0x0000000002790000-0x0000000002791000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2616-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2616-7-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2616-1297-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2616-3299-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2616-7405-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2616-7420-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download