Overview

overview

8

Static

static

3

eab8e377cd...ba.exe

windows7-x64

8

eab8e377cd...ba.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 00:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eab8e377cd9c99c292513824899e46e279b168453fcd2af025936ca3023267ba.exe

  • Size

    33KB

  • MD5

    78b13275cb58f2d7c422baa8f6be8069

  • SHA1

    bd808b9d43f59a792c7477ad7c6d563099dcdb42

  • SHA256

    eab8e377cd9c99c292513824899e46e279b168453fcd2af025936ca3023267ba

  • SHA512

    ae5241c76e07bdebf43c5bb8b8f6bd6a26fab8fe655002d49a59049754e581510daba1a10a69563adf1475415548233edc918abfe32dba0592095bdc6d3b0a9a

  • SSDEEP

    768:JGTElOIEvzMXqtwp/lDTJg/MFksCRsd2u9C9MFWoVaZel:JeaYzMXqtGN/CstC9qVF

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab8e377cd9c99c292513824899e46e279b168453fcd2af025936ca3023267ba.exe
    "C:\Users\Admin\AppData\Local\Temp\eab8e377cd9c99c292513824899e46e279b168453fcd2af025936ca3023267ba.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        3⤵
          PID:3240
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3432
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          3⤵
            PID:2160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:3304

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                Filesize

                258KB

                MD5

                5c1b9fb919fb6e06ae93f3bd8aea0586

                SHA1

                6d76f9e7f520860aa82cb9c1c06e134e16def1d0

                SHA256

                6fbae3f85794114ae1bcf09c05a132a651d970b2435c2de2899fad2c14259d5d

                SHA512

                4bfc09f30e4dc7e8dad3c3d9f4d5b0fd15d758b1447f9d6f4844d94641cb56ae56d268425656338999c64ba10d9b13d21e8e7039e3dc0e0165e5e1bbaf86bd22

                Download Submit

              • C:\Program Files\Google\Chrome\Application\chrome.exe
                Filesize

                2.8MB

                MD5

                8ee61e44a30bc2d29ee8471e654773e4

                SHA1

                848172ee09aea8642a88ab93a68caeb4dd7c5d4c

                SHA256

                57d39d039ead4a701841f69e0cc32a4afa15eded69c69804c0659fe78ceee339

                SHA512

                20a332dd09f7a05e51c1c5d8d9cf39052341d4758439d8f9aed58be00cf1d57a2e94d32c2707aaa98064bdd7c120315d0eee571d4ad0ae72046aa4a0b558e329

                Download Submit

              • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                Filesize

                478KB

                MD5

                3da8ead3d29f876e93bb09d1ca3e9781

                SHA1

                a5efb27fe83f4cedc9b7b795399584a53e0c20aa

                SHA256

                013051f1a07d98ad170e96efb392089423e8a583db2a9bf2a5762448bf3b104f

                SHA512

                c767d267879f581d1aefb6b98b2638d0cb79c6688ed6bbd7700d2b3ca52abcf89519adc56c64c0cfc01a315947f45a394a74880541f31296557f379ca84e58a8

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-21-2231940048-779848787-2990559741-1000\_desktop.ini
                Filesize

                9B

                MD5

                35dff1b2d2822022424940d4487e8d0d

                SHA1

                cf3c5e0326ffacd39689a35b566c8d3c626cc96b

                SHA256

                0432a628b4273444218f05d7d906b391ab84e1d51bc1b084c37456324e0f84ae

                SHA512

                91c1e3f5497c8c249e695b9e6f844f141b8747d5d1c5d23d09a2e39aae974cfcfe26b6a4580904b87aa495d452df942937fd721ff8189016a59f61c0835e1665

                Download Submit

              • memory/3468-0-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3468-5-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3468-1203-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3468-3286-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3468-5706-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3468-8332-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download