Overview

overview

7

Static

static

3

fc6765eb85...57.exe

windows7-x64

7

fc6765eb85...57.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc6765eb85b9599a60d5306e55233241fea0d98606ab103036444308f9487357.exe

  • Size

    2.4MB

  • MD5

    4ba331aae2558a57700474d6099a6536

  • SHA1

    62023c6ddd9194882d78c0174a468373d58e43f3

  • SHA256

    fc6765eb85b9599a60d5306e55233241fea0d98606ab103036444308f9487357

  • SHA512

    d8ccc043f6d39c5d8ef71e09359715095dea38a8798db15dcccff7d069fdf1fcb87423b658f73394f8ecd674d5dceb142523ca0e402ae2786a17f3106cf68bcd

  • SSDEEP

    49152:wDkYOMwwnMb4PmyVhXlxqCLxqCI+V8tgJd8qPOkfrL4n9:dYOXwnS4rVjx1Lx1I+Cga0Rfrs9

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3216
      • C:\Users\Admin\AppData\Local\Temp\fc6765eb85b9599a60d5306e55233241fea0d98606ab103036444308f9487357.exe
        "C:\Users\Admin\AppData\Local\Temp\fc6765eb85b9599a60d5306e55233241fea0d98606ab103036444308f9487357.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1336
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3980
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:996

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          2.6MB

          MD5

          c57c8bf360c34fe05d236a4bb68704ec

          SHA1

          a2255850eb9a828bf1ce28441384a951409db333

          SHA256

          9ea40bfdf6988c764c876d62c9964eee33a88fda46994ac3c21437c7d366acbb

          SHA512

          bb57359d592f266d78c6e65a227d97a4cd1fdd8f163f6ed9f3be2456fd762aa88546ab6185aa58a74bd10e35bf2f0091a9dc4fb768c159af6459065b71f7094a

          Download Submit

        • C:\Program Files\Google\Chrome\Application\chrome.exe
          Filesize

          5.2MB

          MD5

          7d98d3e48dc67d7ca58ffc6a17e7b093

          SHA1

          6fb7466f2ca5d9c8b990e84402427b299ad902b3

          SHA256

          bdf5891bced0eb8677a3655ed8bd1b14a2156e9e8301ab276eeb38a329d43d18

          SHA512

          16a34d0da5bdf5b0ed542c0d9003fb6c2884022343e9d47b5046bfc56e539df2775df6ed060b29dd7a713623ed0b63eb213c9ac45e1b97471db1a1ab7004322d

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          2.9MB

          MD5

          131ac8b064917588e189f6b72269c514

          SHA1

          feaf3165102daef72462d0b220dd9e42c200d5a8

          SHA256

          a00f871748158baf00e67f88df0ddf70ed1eed9106448fd22143d902b538296c

          SHA512

          f774abb8e1b73bcf19567a63b2b0d4b89b95390aba7730839dabc9daa80199d9ff9f4f0f6e00583421fb52b6d640a5de6d18b46f1505d5af12cb829b39f7f549

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini
          Filesize

          9B

          MD5

          aec6bbf704de8af243f3e9add8732550

          SHA1

          1fad16c82d710536532e146137be098c172182ee

          SHA256

          d20a8fade634d93ece501e8946d07bc8d0ecdefea8b585ce5286a42e43111334

          SHA512

          cdbe9134f8057a95af0d39894c7f8e513faa85749dde984f6369164056f7986429a3a724da3812533c3f2f6108c440c37dff20c0d7a1c664a6a5c7424c9051e5

          Download Submit

        • memory/4852-0-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/4852-3-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download