Overview

overview

8

Static

static

3

f24f471863...cb.exe

windows7-x64

8

f24f471863...cb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 07:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f24f471863ce9d420da152cdd6e978a2f35c15d967a2dc7df90ca57205f45ecb.exe

  • Size

    67KB

  • MD5

    c2ae8fcc18b89af6ec47cf95c9b63391

  • SHA1

    edf10b48afef041f56323f4ed1b64c4eda910da3

  • SHA256

    f24f471863ce9d420da152cdd6e978a2f35c15d967a2dc7df90ca57205f45ecb

  • SHA512

    58003d03fe05ba8798f3fcf082683d074dabdda1b87ee7020b7926151e7cc592f5097ca638bf148f0fc589b6e825b9b6dc70c4510b64040aa49e3629b5ce5128

  • SSDEEP

    1536:P7aYzMXqtGNttyUn01Q78a4RjZoEV0JuRUFyMOaHQ1l:P7aY46tGNttyJQ7KRek0JXXOeQ

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\f24f471863ce9d420da152cdd6e978a2f35c15d967a2dc7df90ca57205f45ecb.exe
        "C:\Users\Admin\AppData\Local\Temp\f24f471863ce9d420da152cdd6e978a2f35c15d967a2dc7df90ca57205f45ecb.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1864
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF8.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3464
            • C:\Users\Admin\AppData\Local\Temp\f24f471863ce9d420da152cdd6e978a2f35c15d967a2dc7df90ca57205f45ecb.exe
              "C:\Users\Admin\AppData\Local\Temp\f24f471863ce9d420da152cdd6e978a2f35c15d967a2dc7df90ca57205f45ecb.exe"
              4⤵
              • Executes dropped EXE
              PID:3824
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3728
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2660
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1176
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2104
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4112

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  49b578318484c88ca48cdc8d20032c95

                  SHA1

                  d29b24bf2b17da2204449a0f1329e816bfd75696

                  SHA256

                  22a5a07d257accc276e5bad16f06b5b3bcc51f6b084f7a31e12ac0b981ba4be2

                  SHA512

                  e4639e0d030bf63bbc84016fd4ab8e04dcfab856660e7ca917413784fc62b31f466b1b2986d48f2af02ceab574c8c81e5cf679c0a611e434e34849c20ad703b5

                  Download Submit

                • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
                  Filesize

                  488KB

                  MD5

                  15137620fba9c2013dfa9107be4321d5

                  SHA1

                  31c790632ae19274fc2ed7e1615458324bc199bd

                  SHA256

                  37cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604

                  SHA512

                  e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$aAF8.bat
                  Filesize

                  721B

                  MD5

                  13df053fc4717c406a96cf8408d81bf8

                  SHA1

                  d249034c4356a8ab674f078f6cee66f67310960c

                  SHA256

                  1488089a95313d055445b3d4086a471102adf54aff735a1e845f467fa2b7e438

                  SHA512

                  cad227f448f221c27f512cf037d97505ab7d7ba1b654209ca12dd2d9eec8ddf7521b32201c013841e3342d0d001d7f9faae5a95221716336773cd7d67a32fe1e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\f24f471863ce9d420da152cdd6e978a2f35c15d967a2dc7df90ca57205f45ecb.exe.exe
                  Filesize

                  33KB

                  MD5

                  69b16c7b7746ba5c642fc05b3561fc73

                  SHA1

                  83d80d668dca76b899e1bf662ddee0e0c18ac791

                  SHA256

                  0deceb6b1b7a2dd1f13133ac7328ff420dad4610cee1fa7466e8e0f6baa39116

                  SHA512

                  6b8eebcfe5b04141640047fe468371ad02bb115ee9ef00260c0b33cfd56b142c2e01b3b1c6f07281aa57b1f3b9fdb1f1082fe5620f88a57b92d8f547267ef154

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  460d2eb14b1906dd2eb1bd89ff874a90

                  SHA1

                  9baf7c925cf37bb2a8b1dab06b12d3137a031a4f

                  SHA256

                  a3534a35919bdd243e61a7a1a10aca06013abb9f7ef35640e5962ca5e86e8a8d

                  SHA512

                  ce3e7de570a1eaa3724928c29143ceefbdde6596beccdbd289586d3ec6d773bc9e0a09ce0b9393d58f0db3dfc25cbecaff4ee405fb85baef821732f51d8f99ce

                  Download Submit

                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  842B

                  MD5

                  6f4adf207ef402d9ef40c6aa52ffd245

                  SHA1

                  4b05b495619c643f02e278dede8f5b1392555a57

                  SHA256

                  d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

                  SHA512

                  a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  3c5c5bba3a178ced5be3ad498900e558

                  SHA1

                  d0cd13c835963414049b9a8bab9b576e1fc6f61c

                  SHA256

                  8f524014a5806ddb9bf3a788def8a4bf384978b9108d9f37607a14b9c08f8c97

                  SHA512

                  949505ee30a6408d2c7e4ab64a93c1f8f5f21b44e59e5f0d7b22a282ae2e36bf22f44b45b9b9030be8501266cd9895133aaa203301f3d5ec87e26ef583f8c737

                  Download Submit

                • memory/3728-74-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-2851-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-8285-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-6219-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-446-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-1548-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-2078-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-19-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-4669-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-5103-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-9-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3728-5558-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4612-0-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4612-11-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download