Overview

overview

8

Static

static

3

42f1be2213...83.exe

windows7-x64

8

42f1be2213...83.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2023 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42f1be22131894c2864ce621bc70404238a1b543e578dbd122e97acedfd7b283.exe

  • Size

    33KB

  • MD5

    24ed449212b42b1b995243659e057b37

  • SHA1

    eeb89455eeaaf305237e6cebe6777f2f322fcc02

  • SHA256

    42f1be22131894c2864ce621bc70404238a1b543e578dbd122e97acedfd7b283

  • SHA512

    aa13e3cc4beaa3854784488566d8205edcf940b3c6a8570ec093542910edfa191c6a1c397b33dabc3d01d87e4980477731013230e64487e144afb752f431365f

  • SSDEEP

    768:0fdgBElOIEvzMXqtwp/lttaL7HP4ATCf0vn4DAwdHtLuQN:0yBaYzMXqtGNttyOf0v4DAyNjN

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\42f1be22131894c2864ce621bc70404238a1b543e578dbd122e97acedfd7b283.exe
        "C:\Users\Admin\AppData\Local\Temp\42f1be22131894c2864ce621bc70404238a1b543e578dbd122e97acedfd7b283.exe"
        2⤵
        • Drops file in Drivers directory
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2544
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2648

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          e21861b9e833fb8a86e34cb4bdb3cb85

          SHA1

          e9524541bd56346991626e248a1b3c581db3c97c

          SHA256

          c3efe02de8c89f588b547e158c6591ceea9104a20e3b30a18d4fb36df58fe8b7

          SHA512

          591f6b074286c40a726f0e54221d541cecf79baa09116c6e5bfdaaeda5bf1223e860df9826e6827e03978303009279cb6001226c1cae529e35824787bcbe7b4b

          Download Submit

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          601KB

          MD5

          0412e5c967f4b1114ab74b3f9ed438d2

          SHA1

          e9f66d0252ba86d764218a5a484876e9704908ce

          SHA256

          c22dabedf458ee12069f676c24e601687b829855cee62abf5c522bd9c814fb68

          SHA512

          a9056d91d8fc63114ab6e0e6cc766842f45936c07f376ebfce853df48ac3c33c39a3e977205f45321c51ccb586af45f0dd58e80b34c5889a18be9ca0fd22971d

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          e2200883dea58e993f4463d214f54866

          SHA1

          831687176ee12ddc2d18e9c72693083ff813481f

          SHA256

          cb8d11aafc59ee859c2521da19c039a984d7f38e8cf7ad0c6b86d4425274b8f3

          SHA512

          f3e9e860b7bcd8aa80ac3856a8952cd6fe370bf9ca41dbf079c2a43574f93052778f7fb39ccfed225e11422f9d54ecead6bdfeabd8cbe6ebaf485253b0fc1864

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-4219371764-2579186923-3390623117-1000\_desktop.ini
          Filesize

          9B

          MD5

          2326d479b287193a70f520700dc8d23e

          SHA1

          afea66d3788a50debd6f5d4c9dd51f68a4477e64

          SHA256

          95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

          SHA512

          cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

          Download Submit

        • memory/1248-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2772-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2772-9-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2772-1773-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2772-4026-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download