Overview

overview

7

Static

static

3

b495ad8eda...c8.exe

windows7-x64

7

b495ad8eda...c8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 11:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b495ad8edaf6f8da1c38437a3d6c44c8.exe

  • Size

    72KB

  • MD5

    b495ad8edaf6f8da1c38437a3d6c44c8

  • SHA1

    1e98a8dc9421eae40037421bc332f86b224a5a39

  • SHA256

    ddd235cb2286fbf73341cfe720fce3b7616c1fd4f5b71dae23e3f5a08d4fb1ce

  • SHA512

    8036e3d4edf0d4f928498c354e49615bb3c70667ea8004ff84a9002ad7553237386e3d467f7f3588d084f9824996b6468a018c8af09f4a33aeea1e63703c5659

  • SSDEEP

    1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitVVXC3adCA:qKtfDwsjPThTYszDH2fRCK7

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe
        "C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6206.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4108
          • C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe
            "C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe"
            4⤵
            • Executes dropped EXE
            PID:2008
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3068

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7zFM.exe
            Filesize

            989KB

            MD5

            732c54cb40e7d6e8298904e046fd5d11

            SHA1

            60f974a5ea0417375ed7aa974f365070deb5f612

            SHA256

            d44e1ba4f2d4ca8d0df9fec05198553f31565dcf0e667c4613aa06fc6b0a9dfb

            SHA512

            621b95932132ba72a4dbbc9c874118470cca2c4dea7749840935f562fb9fdfaa76ee6f171ad2096dd913f3dd9c494146e4c4dfb20fe4f4bc1d71ba5de299f222

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a6206.bat
            Filesize

            530B

            MD5

            27ad6b16a939545d4fc57e5d5581e730

            SHA1

            d1d406e00468a716763d2244d5f669511c3a7544

            SHA256

            8f1b4cb250af32701dd14df0c7490105b2a8023018d85430a475a9fdec7b3ca8

            SHA512

            a68e573e3aecdd87d45f224b53d46e8c6683bfd0bc600b794850fa88cc96fb3754de8fc362b1ecb2e15650fab304e787e50d966c5057f1c076cbb6f8b5fa3e9b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe.exe
            Filesize

            14KB

            MD5

            24ef7650a464eb95f8a5bba03202a9ef

            SHA1

            fd6e36e45fda812ec49eb9a07ce8a6a2ed6cb70c

            SHA256

            290a6c952a8216276bea217b1de6a0e8e3150083fe3b441f3784acac02c77f51

            SHA512

            6402433d125f7e6b8478f2a06fa03e547adc95b18a6426324cbedb39a94ace3e7aa1605b3391b8cb0cf93cddfbc2eaecf781001e915f1546b9492bdebcae64db

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            58KB

            MD5

            5f37f663a4fa45d381d07638032d024c

            SHA1

            ee3f57a5b28850c4ab25758174faca9ea1af40bd

            SHA256

            bdb0ef4eab81fe0e8d164e94ff78fea2c33a9578a9d8f0cf655240a2215c38ba

            SHA512

            fc6c77edf8bc56484ecb5354240bb9202a536fdb34596b6c1392641be4e762fba5dbe5e325f255d76566b5716684246fc75518c2bb29ea2235ff5a3f1f995485

            Download Submit

          • memory/2656-7-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3068-222-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download