Overview

overview

7

Static

static

3

37ee23adaa...b2.exe

windows7-x64

7

37ee23adaa...b2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2023, 10:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe

  • Size

    2.1MB

  • MD5

    ed7bd7f8cf60d6f503b0334b51885b30

  • SHA1

    da15c33d2bd425f8f44f8fcfd60cb4f19c30be35

  • SHA256

    37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2

  • SHA512

    a11075499f58696592e1067e7258729f462554cd51f46087b3e6314e8ce9cece351ed12563e82130244712652133cb9e3e2a2f3bec6ba53c0a7de47863805eba

  • SSDEEP

    24576:hB4EM1W3i4phW7P5DZ+06jJOCnATyES6ybessFAc:hB4EM1W3i4phW7P5KdATyEelsFAc

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
        "C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2332
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
              "C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe"
              4⤵
              • Executes dropped EXE
              PID:2660
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2768
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2516
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2608
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2508

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  032ded763c5053d895d417f701221790

                  SHA1

                  24bbbf207686532931c052e3713501e75aee5ab3

                  SHA256

                  0c410aebd8419882efaeee6265f89fc4c276be6ebaafa8a5faf2508f1d43551e

                  SHA512

                  32c70b29eec95e80c6976971a26eebff295e42c749c579a745f973dd306812fd82de15298b853bad5c599edc85ca4593a2f587102318b3911d50a356af0af001

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  26855796aad15692849304ed0905a3a5

                  SHA1

                  c2a4b980c9ef043c652698cab3707d1611c31f80

                  SHA256

                  45aefb8183665c4374c0663ed6a99ded2383be669200a05fd2d5dc363201ec99

                  SHA512

                  c97b14579640f8762e1dc94f66343ca90101f1890f8f528cf0f6bcdc0d48affa3ebf1f41aba839621fbfb6dc81380835ac9002e963dba000a08ccbaa47e72461

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat
                  Filesize

                  722B

                  MD5

                  7d9cdfe9fe53eaa490fd91adbf606e85

                  SHA1

                  7ad70f659167ebb725207300693dd4973018a7f7

                  SHA256

                  e3af5a5605a3782a3341df80926512fb5bd9ae33b61a290b4964f441754009e0

                  SHA512

                  04a5cbe29c5ea9d684a68d2e4091dced3eef0ff1ba28d74e724bd2f5b4b715e32f8111d2497631784c6d964c69e5e3294c18217d991f5e71ed430a0e3ef468c1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat
                  Filesize

                  722B

                  MD5

                  7d9cdfe9fe53eaa490fd91adbf606e85

                  SHA1

                  7ad70f659167ebb725207300693dd4973018a7f7

                  SHA256

                  e3af5a5605a3782a3341df80926512fb5bd9ae33b61a290b4964f441754009e0

                  SHA512

                  04a5cbe29c5ea9d684a68d2e4091dced3eef0ff1ba28d74e724bd2f5b4b715e32f8111d2497631784c6d964c69e5e3294c18217d991f5e71ed430a0e3ef468c1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
                  Filesize

                  2.1MB

                  MD5

                  a22ce15e4298766deac3b4f7088136cd

                  SHA1

                  bebc83ea0d57201074ed7063459e63933ca89eab

                  SHA256

                  b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

                  SHA512

                  c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe.exe
                  Filesize

                  2.1MB

                  MD5

                  a22ce15e4298766deac3b4f7088136cd

                  SHA1

                  bebc83ea0d57201074ed7063459e63933ca89eab

                  SHA256

                  b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

                  SHA512

                  c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  06ace9eb2d0855f1ff523c933936e82c

                  SHA1

                  7340342baf9245740ec36251496b498eaedccbe1

                  SHA256

                  1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

                  SHA512

                  76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  06ace9eb2d0855f1ff523c933936e82c

                  SHA1

                  7340342baf9245740ec36251496b498eaedccbe1

                  SHA256

                  1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

                  SHA512

                  76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  06ace9eb2d0855f1ff523c933936e82c

                  SHA1

                  7340342baf9245740ec36251496b498eaedccbe1

                  SHA256

                  1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

                  SHA512

                  76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

                  Download Submit

                • C:\Windows\rundl132.exe
                  Filesize

                  33KB

                  MD5

                  06ace9eb2d0855f1ff523c933936e82c

                  SHA1

                  7340342baf9245740ec36251496b498eaedccbe1

                  SHA256

                  1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

                  SHA512

                  76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-86725733-3001458681-3405935542-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  587438ba3214d6958f23eced1b2cd39c

                  SHA1

                  56d9150b977089419b026aaf6ee032981c437dfd

                  SHA256

                  4a9d4c3f321c10e2bb0319dca7695b9b3252a0e1d35cfc2a09bac15d5c36e090

                  SHA512

                  31309fcfa73bf18bb138cbe3744414acc13498184290586c8f185e828027f7b0c647f3f102826099465c7995a29e8a33d95f832ffac8d16b619b53f037e4fd63

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
                  Filesize

                  2.1MB

                  MD5

                  a22ce15e4298766deac3b4f7088136cd

                  SHA1

                  bebc83ea0d57201074ed7063459e63933ca89eab

                  SHA256

                  b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

                  SHA512

                  c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

                  Download Submit

                • memory/1200-27-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2620-19-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2620-30-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2620-1356-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2620-3324-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2620-4085-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2996-0-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2996-16-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2996-12-0x0000000002FC0000-0x0000000002FFF000-memory.dmp

                  Filesize

                  252KB

                  Download