Overview

overview

8

Static

static

3

0162172398...dd.exe

windows7-x64

8

0162172398...dd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2023, 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    016217239854bb8d575957b1daf7d47765c1da2b28d0ccb274fa3c53112a17dd.exe

  • Size

    33KB

  • MD5

    0130f5e8ec6493e42aaa329210e164e8

  • SHA1

    a6a69e3bb0e1aab22a30f7e7bdf281fb25f26b25

  • SHA256

    016217239854bb8d575957b1daf7d47765c1da2b28d0ccb274fa3c53112a17dd

  • SHA512

    9143e3a7b16c1e013ed6e3103c769f8ef8e17ba1c375a5adc25af276751f3c7bda02f6c3a11d92d419117426982259b452c27d4edfdbf848200be7250c90cd0b

  • SSDEEP

    768:2QElOIEvzMXqtwp/lttaL7HP4EUi91acSWGoYoLVCm1:2QaYzMXqtGNttyeiZnZLYm1

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3312
      • C:\Users\Admin\AppData\Local\Temp\016217239854bb8d575957b1daf7d47765c1da2b28d0ccb274fa3c53112a17dd.exe
        "C:\Users\Admin\AppData\Local\Temp\016217239854bb8d575957b1daf7d47765c1da2b28d0ccb274fa3c53112a17dd.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4496
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3804
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:4092

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          f59f3ad72aa4868a7f8fd08637ef4c96

          SHA1

          d289cd3f7719e31f8b022f34c11aae0ccfb53d75

          SHA256

          a2eb008ef426694dff89113c6db5e99da73faaf42cef72d98cd846630eca6c17

          SHA512

          a799156352ed73593136b2ce42889dcc162edbc30937d41cabee7f7af5281e3340683e036906e86b9ecfd262de3a5d38ac4c2f09034db8c8c6cf616710917223

          Download Submit

        • C:\Program Files\Google\Chrome\Application\chrome.exe
          Filesize

          2.8MB

          MD5

          f400c65b3131584703d262d796167b52

          SHA1

          4101fc544bc431cba7f8cbca808eb840a0fb44ca

          SHA256

          660112a8066926999226e2eee93b956bbcf2401574aadbb53a6ae4b29bb52da0

          SHA512

          51d3b77b5a75210edf2a66457abdd661875c1de243b9fb776a064d6ebb893464a4745a81f030f8d0b86d47e123d684a8318ca60401932aa02e7a44f1dab7113b

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          209d4b4455ac36ef36cc724e5197edbc

          SHA1

          34e806224bfc6ba8bf2dc65386e8268beb4bf0d7

          SHA256

          fa30aab2b90ead118dcb84ca237a9c913893398bdf9099d1f5f859b831f3ae29

          SHA512

          3da50973bb1ecbec2f1d1e4bdb1634a4a94f8bbb4694afd2c01660e51033b40802354cefa84361656ca788be80b59c46fe137ea0577ec93914d0586cdd070144

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3125601242-331447593-1512828465-1000\_desktop.ini
          Filesize

          10B

          MD5

          0d897ff63d6d70834691031400f75fba

          SHA1

          1527f718ccce51339d233a1a409fbc4a27fe73d6

          SHA256

          4ae6beff7729c454ddd8204bac0ebeaf452455e43ffb2e7e6fef227f1ad09169

          SHA512

          6cdd19fa414b78c81ac442e75cb85fc7ec97444b80373cd4de0ca20b72f7a6a474589d44202ab04d7a493f2c202ab60951c51d031a4ff95f5a878fa93039794d

          Download Submit

        • memory/1652-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1652-5-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1652-23-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1652-2183-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1652-4623-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1652-5858-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1652-8172-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download