Overview

overview

7

Static

static

3

9e13a745d4...4b.exe

windows7-x64

7

9e13a745d4...4b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2023, 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe

  • Size

    327KB

  • MD5

    9c69f68a14acf758e9b5bc6fdf526946

  • SHA1

    8093271aaab53bc900d9a8a505d7eaa8f1a56294

  • SHA256

    9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b

  • SHA512

    7c5dd7f2cc882f919d6c3018e7fa44961e19d2983926c5cdab1045b686c8b98123826090b6d824ff03e68cfc2308d398741924577084702774efad51336dbcb1

  • SSDEEP

    6144:8Mwulmti3/eUVT26OxDRZB21dKTBH4yxkaJGq4McDN7I7tvuXINP:8MSgeUF2J1GUT94yZ14Mcp7IJvN

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe
        "C:\Users\Admin\AppData\Local\Temp\9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2608
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a386E.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Users\Admin\AppData\Local\Temp\9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe
              "C:\Users\Admin\AppData\Local\Temp\9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe"
              4⤵
              • Executes dropped EXE
              PID:2628
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2488
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2464
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2528

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            5fb0335c7b433d3b481ec80a59f921c2

            SHA1

            8b125619d1532ca934ef52a5aad531510d38b60c

            SHA256

            b8c2a2816a8de5e33fae9f2f71fc70963036db0a81012fc3249b99108be9a4e4

            SHA512

            a1e6e3a8d6e52dc99fcab4c4850f77b0608f35619e4dea5e2a75ee714b4e1dc36476641010d3fdb2dffa59fb7c2d2e2724a9287f11c401aab568c322408bdff8

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            4894b8053c2c515de12944003ccca9eb

            SHA1

            4ea0ae6302fa005ca406f04f459cebfb1e339d77

            SHA256

            b467df94ef5c74edc55434535d7bc75958ac9ac0bf7e4c4ee53f360e8dfaee39

            SHA512

            e309e004620181605b4654e5ddd8fe45a76d97fb2566d99a7a35905b3b14bab7c7809b088f21ff4b6086141a835b3655c1182253907526de2c4aec15e0317742

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a386E.bat
            Filesize

            722B

            MD5

            fa9db09134c3b6aaf830bb7f801490f2

            SHA1

            9b2df4a9cf5684a9c99433c07eee141e20c47aab

            SHA256

            949e4d086e6fac852504b947c5ea13e5c92399e5f7760a4140d03426bc95167d

            SHA512

            06cc744838ce680d99f97bb646a91323da51d091e579b17206a9617596e5c1af5b20bdc2bf9fcf8d838178ffd238715015a36ff4ca7a6464c2d77a98bd375f48

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a386E.bat
            Filesize

            722B

            MD5

            fa9db09134c3b6aaf830bb7f801490f2

            SHA1

            9b2df4a9cf5684a9c99433c07eee141e20c47aab

            SHA256

            949e4d086e6fac852504b947c5ea13e5c92399e5f7760a4140d03426bc95167d

            SHA512

            06cc744838ce680d99f97bb646a91323da51d091e579b17206a9617596e5c1af5b20bdc2bf9fcf8d838178ffd238715015a36ff4ca7a6464c2d77a98bd375f48

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe
            Filesize

            293KB

            MD5

            6d59dab35531477d64b18b0bd716dd1e

            SHA1

            5fc5b4f273c0a303ec6fe87815e7b380d7d30524

            SHA256

            ec49757538e41a7b2d6c22d1d8a0792228fafbe5a34ef204f5399d3e0f838f69

            SHA512

            c6855abd33a4d1ee8dcecdb0e94e8ef18e7ce3f0cab4eb61d429a9a0c00be0ee73ec225a5ed1f5682869dd21198dadcf7406f5568b107e98de64f316f0f10a12

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe.exe
            Filesize

            293KB

            MD5

            6d59dab35531477d64b18b0bd716dd1e

            SHA1

            5fc5b4f273c0a303ec6fe87815e7b380d7d30524

            SHA256

            ec49757538e41a7b2d6c22d1d8a0792228fafbe5a34ef204f5399d3e0f838f69

            SHA512

            c6855abd33a4d1ee8dcecdb0e94e8ef18e7ce3f0cab4eb61d429a9a0c00be0ee73ec225a5ed1f5682869dd21198dadcf7406f5568b107e98de64f316f0f10a12

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            5cb144548615ce20b2913568d5e9e98d

            SHA1

            bd3278e585a211d835679391f8aeedbc07ea1655

            SHA256

            7b2ce0298c9ad218380a3f6f69de0252d0cc9ee9b1cb95e99e7db2c368e15462

            SHA512

            6d997fa7ffc9a0d52b89922baa0bd378f12f4817025660623cbf3759bdd0db2a61c96ce51fa0fab1b24255acea44a74ff744c0e3c09bf3f8c43593852455adb1

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            5cb144548615ce20b2913568d5e9e98d

            SHA1

            bd3278e585a211d835679391f8aeedbc07ea1655

            SHA256

            7b2ce0298c9ad218380a3f6f69de0252d0cc9ee9b1cb95e99e7db2c368e15462

            SHA512

            6d997fa7ffc9a0d52b89922baa0bd378f12f4817025660623cbf3759bdd0db2a61c96ce51fa0fab1b24255acea44a74ff744c0e3c09bf3f8c43593852455adb1

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            5cb144548615ce20b2913568d5e9e98d

            SHA1

            bd3278e585a211d835679391f8aeedbc07ea1655

            SHA256

            7b2ce0298c9ad218380a3f6f69de0252d0cc9ee9b1cb95e99e7db2c368e15462

            SHA512

            6d997fa7ffc9a0d52b89922baa0bd378f12f4817025660623cbf3759bdd0db2a61c96ce51fa0fab1b24255acea44a74ff744c0e3c09bf3f8c43593852455adb1

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            5cb144548615ce20b2913568d5e9e98d

            SHA1

            bd3278e585a211d835679391f8aeedbc07ea1655

            SHA256

            7b2ce0298c9ad218380a3f6f69de0252d0cc9ee9b1cb95e99e7db2c368e15462

            SHA512

            6d997fa7ffc9a0d52b89922baa0bd378f12f4817025660623cbf3759bdd0db2a61c96ce51fa0fab1b24255acea44a74ff744c0e3c09bf3f8c43593852455adb1

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2180306848-1874213455-4093218721-1000\_desktop.ini
            Filesize

            8B

            MD5

            587438ba3214d6958f23eced1b2cd39c

            SHA1

            56d9150b977089419b026aaf6ee032981c437dfd

            SHA256

            4a9d4c3f321c10e2bb0319dca7695b9b3252a0e1d35cfc2a09bac15d5c36e090

            SHA512

            31309fcfa73bf18bb138cbe3744414acc13498184290586c8f185e828027f7b0c647f3f102826099465c7995a29e8a33d95f832ffac8d16b619b53f037e4fd63

            Download Submit

          • \Users\Admin\AppData\Local\Temp\9e13a745d42a252607da334fc1d49219165d74ad88ef552d145949377581b64b.exe
            Filesize

            293KB

            MD5

            6d59dab35531477d64b18b0bd716dd1e

            SHA1

            5fc5b4f273c0a303ec6fe87815e7b380d7d30524

            SHA256

            ec49757538e41a7b2d6c22d1d8a0792228fafbe5a34ef204f5399d3e0f838f69

            SHA512

            c6855abd33a4d1ee8dcecdb0e94e8ef18e7ce3f0cab4eb61d429a9a0c00be0ee73ec225a5ed1f5682869dd21198dadcf7406f5568b107e98de64f316f0f10a12

            Download Submit

          • memory/1196-27-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2416-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2416-15-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2416-16-0x0000000000440000-0x0000000000480000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2572-31-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2572-19-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2572-1764-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2572-4086-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download