Overview

overview

7

Static

static

3

d97065a794...7c.exe

windows7-x64

7

d97065a794...7c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2023, 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe

  • Size

    477KB

  • MD5

    67b45eccef4ee3048edf9d6608a188eb

  • SHA1

    a18590300155bd6538d97cf9cc5d9a9833d9d198

  • SHA256

    d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c

  • SHA512

    84f8d80050acb362a445c27b1160b239bdb14dba96b17d118d26c1740bc0f413187fcd5757218b86293f56804d9158f5bfaf8626c6aab886638ba09a00f36e78

  • SSDEEP

    12288:zz+aSZc0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVzy:nBOMYenGJiKEbXWtfOkUy

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3148
      • C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe
        "C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4900
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE649.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:392
            • C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe
              "C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1260
              • C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe
                "C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe" -burn.unelevated BurnPipe.{C37A3EE1-D69E-4CBA-B168-4181B5EF5507} {FEAD2A80-F69C-4DFE-8031-8256672FB26F} 1260
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:5100
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4480
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4752
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2200
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3692
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1144

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            e4121d9935f33e4f29cd063bb967e9b3

            SHA1

            0221815d3e67f8ffa06cfeaef2faac0cfc6fe6ce

            SHA256

            1cbe20b082744c4f445d2be69135b2ffb3ee4d3a121254ccef29310e91cb5ffc

            SHA512

            07d0ffbf9ba0b330c82d301fc195f0c3154dbd651ca71869f8cebe5f6038606a01cb16d57c28b6553cb19ff265619b1de491c58755cb5864ee99ba7b065b8af0

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            491KB

            MD5

            079f633ee8059f40558d558e7c252620

            SHA1

            948b8bf5b39ac59dbef866d2355a7b0ed85dfe8e

            SHA256

            075fc8fa58245fc801131401efb09e4a37bf60cdb5c34b746cd9f84348baccd8

            SHA512

            150752825b047caf5e456f068104ac8fb3c51dcf30f32d1db413b02bfaccd081f9b8451b38ecb97797fb9f66f0a97b381f05532ae9101b9a2c42bd4bbe1490c8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aE649.bat
            Filesize

            722B

            MD5

            84d040aeed9cd6c1b32d455f61ebafbf

            SHA1

            e3ca0e0b498a0258a405a41ec7719bb9d24d49b5

            SHA256

            67972cac429761d18badb1d6b9b8e4790b20b9e42b143c5fe830e5062a53f1cd

            SHA512

            b78ef5351f37d9fbcd287a92ce20a159478e8252f738eba01c989841d5141e9956eb4b07435fe4c0dac89d59fd67c33d497ac7f6c9d0750ff8622f51ff351489

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe
            Filesize

            444KB

            MD5

            2b48f69517044d82e1ee675b1690c08b

            SHA1

            83ca22c8a8e9355d2b184c516e58b5400d8343e0

            SHA256

            507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

            SHA512

            97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe
            Filesize

            444KB

            MD5

            2b48f69517044d82e1ee675b1690c08b

            SHA1

            83ca22c8a8e9355d2b184c516e58b5400d8343e0

            SHA256

            507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

            SHA512

            97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d97065a794957cf435b3b99b7a6defd6a79d30cd2b0ea2cb122b9e216aff0b7c.exe.exe
            Filesize

            444KB

            MD5

            2b48f69517044d82e1ee675b1690c08b

            SHA1

            83ca22c8a8e9355d2b184c516e58b5400d8343e0

            SHA256

            507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

            SHA512

            97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\logo.png
            Filesize

            1KB

            MD5

            d6bd210f227442b3362493d046cea233

            SHA1

            ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

            SHA256

            335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

            SHA512

            464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll
            Filesize

            126KB

            MD5

            d7bf29763354eda154aad637017b5483

            SHA1

            dfa7d296bfeecde738ef4708aaabfebec6bc1e48

            SHA256

            7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

            SHA512

            1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            41783923a9a0452ad35b6cc203d34f79

            SHA1

            f70636b7219593416147dcaf74ccfddad3053896

            SHA256

            c0b7fd1bc95b52a8d703f5c72e52542299a5ad91b92a292c9806a9311d96e607

            SHA512

            2931deae0146515939b1c77c0b6c32761b757db973c482333c0a2cfc730b808004fabb3683a29fa14903c8f4ddda7517ab5518a9e18ecb1a38c8dbebcd0275c0

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            41783923a9a0452ad35b6cc203d34f79

            SHA1

            f70636b7219593416147dcaf74ccfddad3053896

            SHA256

            c0b7fd1bc95b52a8d703f5c72e52542299a5ad91b92a292c9806a9311d96e607

            SHA512

            2931deae0146515939b1c77c0b6c32761b757db973c482333c0a2cfc730b808004fabb3683a29fa14903c8f4ddda7517ab5518a9e18ecb1a38c8dbebcd0275c0

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            41783923a9a0452ad35b6cc203d34f79

            SHA1

            f70636b7219593416147dcaf74ccfddad3053896

            SHA256

            c0b7fd1bc95b52a8d703f5c72e52542299a5ad91b92a292c9806a9311d96e607

            SHA512

            2931deae0146515939b1c77c0b6c32761b757db973c482333c0a2cfc730b808004fabb3683a29fa14903c8f4ddda7517ab5518a9e18ecb1a38c8dbebcd0275c0

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2415528079-3794552930-4264847036-1000\_desktop.ini
            Filesize

            8B

            MD5

            587438ba3214d6958f23eced1b2cd39c

            SHA1

            56d9150b977089419b026aaf6ee032981c437dfd

            SHA256

            4a9d4c3f321c10e2bb0319dca7695b9b3252a0e1d35cfc2a09bac15d5c36e090

            SHA512

            31309fcfa73bf18bb138cbe3744414acc13498184290586c8f185e828027f7b0c647f3f102826099465c7995a29e8a33d95f832ffac8d16b619b53f037e4fd63

            Download Submit

          • memory/4480-34-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4480-1618-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4480-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4480-5182-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4480-8783-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4900-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4900-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download