Overview

overview

7

Static

static

3

7ca7821af4...ca.exe

windows7-x64

7

7ca7821af4...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    174s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ca7821af42ec4b2b1880cf7d5f631debe52cb0b6d8d722ddb22ea0c6af9a7ca.exe

  • Size

    33KB

  • MD5

    a3063f70c0d7bb08db595d4cf51642dd

  • SHA1

    f8a9840ddc8a0f4cb05fd9b5fe40db3530d5a24e

  • SHA256

    7ca7821af42ec4b2b1880cf7d5f631debe52cb0b6d8d722ddb22ea0c6af9a7ca

  • SHA512

    f7d1206f5aa6ae81629a386d6022542e567e41c6b513e0e3abe48ee11d7306dda24469d6268149e61cd672a5cc75a356ea076e3add3f2a9dce2550619d9ea4c5

  • SSDEEP

    768:VgNFeTz5O5RroZJ76739sBWsi7IlPh3Adqx1LESYRYiV:VKcz5e+Zk78tlp3Au1LESYJV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\7ca7821af42ec4b2b1880cf7d5f631debe52cb0b6d8d722ddb22ea0c6af9a7ca.exe
        "C:\Users\Admin\AppData\Local\Temp\7ca7821af42ec4b2b1880cf7d5f631debe52cb0b6d8d722ddb22ea0c6af9a7ca.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3852
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4708
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:5000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          51e95977c775e3758a90f49a4a41034a

          SHA1

          ab239de9bb59e1eb4ceb25f7aa3b43c9f2cc362e

          SHA256

          0909809269df8b127de9a61bcf2adbd285a0b212a7688aba9cdf38b15310651c

          SHA512

          6df56fa4c922ba6874b588693ce3dc0c2194261f51fd4293b8765f4564856103974fafece30a8535e0ed7ae6f96ac9199e233e4a63fceb03c90243433e81a2d3

          Download Submit

        • C:\Program Files\Google\Chrome\Application\chrome.exe
          Filesize

          2.8MB

          MD5

          fee38bedd4928b39c408c0519724b25b

          SHA1

          90e67ca3042856ceed088cbad9aa995cb009085c

          SHA256

          c031dd14c15323a0369c5f8bf394f2afc1ea91116e52aee7f1170912c4ef72b0

          SHA512

          411b00e26b14e9ece808b96b3be9858aaf4cdda072e671a8e40b161dcace734144bdcf6b19329c0e957bd84d947d3c4aacf9fe41f53ba8293542dc3c6f321745

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          a4bd9e80c3fb386b30dc2352161d404b

          SHA1

          e516cb69f5271dfc0daa943b4d5281e15b3dfe35

          SHA256

          98629bd57b1501e443c97597242584ae7315b240afdd0c174a9ca2da123fd07f

          SHA512

          268512078691d28ee5a5d8ddd7282159c14ad602192ad8c020b9a2da6b14efb1930d34cc850e5748447ee2e1a611cd465ecb4b76498e12bcbedbcfd70f365e7f

          Download Submit

        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pa\_desktop.ini
          Filesize

          10B

          MD5

          dbf19ca54500e964528b156763234c1d

          SHA1

          05376f86423aec8badf0adbc47887234ac83ef5a

          SHA256

          bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

          SHA512

          fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini
          Filesize

          9B

          MD5

          872506f1dadcc0cedd1e9dee11f54da4

          SHA1

          d1e87145ed1d918f10ae4e93ccdbb994bc906ed5

          SHA256

          a0049e98811438481e150df54f7b555026746c943cb03106677bf75b4e412104

          SHA512

          6cf3aeeed18e66a16ed653a5c33133ec8d5fb58cf42aab9e712cf473233e506d4f14692dff04b7c20847718e5c344ec2651e57d2ae7a034610b07679b786344c

          Download Submit

        • memory/3852-14-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-1591-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-2769-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-2880-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-131-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-5231-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-5259-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-5852-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/3852-3-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download