Overview

overview

7

Static

static

3

79b3f9630b...b0.exe

windows7-x64

7

79b3f9630b...b0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe

  • Size

    72KB

  • MD5

    55eb01d65d1be47bb0fcb009b9eace53

  • SHA1

    7b8efe95ade2192156fec0f1f70c022c0a58a400

  • SHA256

    79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0

  • SHA512

    44a894d7e1fd50a617e858f122a33e81595c5e1261405d73c5bc482a085e00cc3007aad8b782492b3ced15e418c7d86aaeb058698ac9a33c176e1e1ccaff6d23

  • SSDEEP

    1536:8oqe+Zk7VJbwlYXjPrsqrZMYR5p8wk2kKzs2Irj5hN:8je+azbRPrlr9RXFk2kKzQj5r

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
        "C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2736
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7511.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
              "C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe"
              4⤵
              • Executes dropped EXE
              PID:2916
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2552
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2436
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2596
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2428

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            5607ab9d477658733de1dc92f1c5df0e

            SHA1

            3ecf0a7e0fbe49389bee0a28135478ec386b17c0

            SHA256

            a03531b2769537e5363cf793bdc80f097dbe3a2766c180350a569019beeda830

            SHA512

            1b0a7a2bce1225230943fe1957db146d5c3e82a508e33940c0a654b89701506a36bf713f7257d654158b9b4faab26a8aad35ab22ea84c8961cfb1db349d53875

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            484KB

            MD5

            41d5bd106a62b9a38b1c76df058c795d

            SHA1

            f4d66b06c910103c30e24010f380d2d98bd49cab

            SHA256

            a3d71d07d47ca777c1976260894fa8f618a7dc9e5626150b578dd01f722d522f

            SHA512

            46326985ebc5f47fe1542b04b5d78ef58b9fbf3ae7e8f08346b26dbc767eef6a46cebb5d27acc08cb7ce280e814e31032168566d2c2c75f0e0a54745ab976f22

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a7511.bat
            Filesize

            722B

            MD5

            491fe0d62a0570d2e869d8cdde3d0d34

            SHA1

            470692d00cde7f69cb72be8b492df9ef3e8982b1

            SHA256

            1f7565dcf690da2c524c8bddaa66d3663e5c1f398c762cbba2e65bc46e5b7717

            SHA512

            b86db64322e7eacddbfd608736b5ae5cd6ac43dca114572e55ed2ba97f382a31f2580f132ebfd504ccd678e0d7aaea09fc6820c80522f3602253dff30e01bcc5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe.exe
            Filesize

            33KB

            MD5

            97ec61761e1fdfb2f1d4ea4d221a43d1

            SHA1

            d6e1682a8dd967bdffe8c145731fb9ea1d0a3509

            SHA256

            1f3069b596484ffa16181226b07c67ee1cb0f41d191ddde7c02f6bb75336cc52

            SHA512

            7d34cc27dce09e2711d76f39c5f44525937ac15723aaedc303c154223f3ec42e6043374582614cc3067795781a2daf6ea8935f3f3b0a8747fa783cedf36090a9

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            a93f5efc0b2c641bd652a684e460e1c6

            SHA1

            3e14fa1a93963965769d42a31b494afc7aa894c0

            SHA256

            ce50adfbb271796afc33d20c4433bee5e16446b56596c7a7cb100e8748b17310

            SHA512

            cbcab17e89a46cf8c2136dff9b4684776a92d7a429b6772198e7f6e48047e054c41d5935302719d615a6a7219edaf1f5fd60f096d9a56caf8eb12f5bc5565265

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\_desktop.ini
            Filesize

            9B

            MD5

            cfe6f484be357c72eb43c1bf358667cc

            SHA1

            e3d7e0445522b691704b4118172728b6a29eb809

            SHA256

            da822ce24d9fbaf4a51165971caf1c53642c637bb0140121b9041e3b23b05946

            SHA512

            29d9ed22715e24413a7b4110e4a45e99110c8b7c0e4f6b0033d5b41f9564687e70aabb182ff809223355daccc6bebf4a90df3dfd6bbbc54649227bf38097b236

            Download Submit

          • memory/1244-28-0x0000000002B30000-0x0000000002B31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2636-32-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2636-434-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2636-20-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2636-3324-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2636-4081-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2972-16-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2972-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2972-17-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2972-12-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download