Overview

overview

7

Static

static

3

f68c9f702e...e9.exe

windows7-x64

7

f68c9f702e...e9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2024, 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f68c9f702e5f462d6c796f4d3bc343891931dcbe020784742f4a8d18539802e9.exe

  • Size

    146KB

  • MD5

    53a847a89559619e499dde3b88605210

  • SHA1

    7fdfb93ed92eee4b984963184f03de6b2b7d8f14

  • SHA256

    f68c9f702e5f462d6c796f4d3bc343891931dcbe020784742f4a8d18539802e9

  • SHA512

    9deceb5b24514c9ae45cd2209119bbc7cd8d09700007751b172f36f953e5f2711d87b773b476f4c46b9cb5d5d4244cd379059ece81a734fc0e142b0ee99ce3dc

  • SSDEEP

    1536:cAsxN92ppTSahtA3AwT/igXrotyFD+ljb6e2s82qjUbb5d6ojOepel5:cfNIv7MwwrFob8LjUbb5d6u6

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1276
      • C:\Users\Admin\AppData\Local\Temp\f68c9f702e5f462d6c796f4d3bc343891931dcbe020784742f4a8d18539802e9.exe
        "C:\Users\Admin\AppData\Local\Temp\f68c9f702e5f462d6c796f4d3bc343891931dcbe020784742f4a8d18539802e9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2108
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5245.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Users\Admin\AppData\Local\Temp\f68c9f702e5f462d6c796f4d3bc343891931dcbe020784742f4a8d18539802e9.exe
              "C:\Users\Admin\AppData\Local\Temp\f68c9f702e5f462d6c796f4d3bc343891931dcbe020784742f4a8d18539802e9.exe"
              4⤵
              • Executes dropped EXE
              PID:2588
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2392
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3012
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2628
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2584

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            20cef2186133a343a70d5d5d4feef3a3

            SHA1

            4844bc3596fa52272bb96cc418f2754b9e33fb17

            SHA256

            a56a482a19e754be811a156bce1a2951aa5ce0765aca04261ede8179ad9e33db

            SHA512

            023fb969db382c783bbcf9b6fa8e88603caeac25b7802da432a98a5d4a686893e97de785d918341767b389f39ebfaf5111b42fe283802402fe0fe04e1b2eac54

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            85bfd80e5e2a61689d1273c6efa51ccc

            SHA1

            8ae8a160124cc56983f24a933fbecdac08da435a

            SHA256

            892cf1575e0cc60639951f9a5a37323f3ca7d06f335e8a39635c3b858596ea3c

            SHA512

            96dd851f4d17a65aa6dfddfdc134a46d30b0417451b4c4b31092b66056cae59302d49b706294547e5766e347dc368ff4bd176d90376c5e2ad5c7a52aa8718a79

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a5245.bat
            Filesize

            722B

            MD5

            ca0ad52b81c5f5dccd6a5aa66cb33b6b

            SHA1

            9583965cfeea40a1dfc79434940b71ebc5c55841

            SHA256

            c8aff2ab2f3f9976b6767c08eb754d7168e09cc659e3b64c86cf54c12c68781b

            SHA512

            8d2f29992fa720fa2d0b2be1c8692c921cb5c6e2970739debe8416c570791c2f76c42f04a938125769fbd67967a926d30a8e8f905d5088065757be34fa6afd3d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f68c9f702e5f462d6c796f4d3bc343891931dcbe020784742f4a8d18539802e9.exe.exe
            Filesize

            113KB

            MD5

            095dabb90bb0953800131fbcc6f6df5e

            SHA1

            9166e25e1fe27c3f92e642ec2fcc36e7c3b19216

            SHA256

            72f1979b588357e1b0dc3e6e9f9a368d2742f18bf1daab0ee94f26d6811f8a33

            SHA512

            041a008d96140a46aa89776fd11e64064b9cda9bd551747f59ae98ccfdff07af010061338655d4d07925f4e2a6c9fc3c79159cec2c9e055445f4b2ab1275152f

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            74de944429af39f54ac31888ee07b892

            SHA1

            7c05f329379c5a396dbdf1e3857f59734eeaaf07

            SHA256

            22a484df9625b0a17e2e7b65945360f0b031ec1bea68fb96d3553d07ab354f52

            SHA512

            d4a8d643b207e1742071a11b05b3044c0750849f767ecbecb5e957d1df1bc95a312a0a595c7c34cc8a09523ef25deac47fddb4801735bcff6087879ef8d10fd7

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-928733405-3780110381-2966456290-1000\_desktop.ini
            Filesize

            9B

            MD5

            62b5f4cbf35e0811170865d2c1b514b0

            SHA1

            eb9ab8cea4d5052efe5126141140269f2fc29e7b

            SHA256

            0c2b516efab7a741c31502cb6f7828de32cd4feb088b683d651225489f183bb3

            SHA512

            4632536c26324e72b20e87d53546ea1d012bc1f3457ce5d8e1b33dd3eebc41ad5e4a3d3f6a3a542d7ce103f95ca5a5a1973c6c036980f1e8860c6c5d93c5696f

            Download Submit

          • memory/1276-28-0x0000000002A30000-0x0000000002A31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2096-32-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2096-1836-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2096-19-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2096-3773-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2096-4082-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2120-15-0x0000000000270000-0x00000000002B0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2120-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2120-18-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download