Overview

overview

7

Static

static

3

4b5091e526...aa.exe

windows7-x64

7

4b5091e526...aa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 18:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4b5091e52699708fc45ad65ef75c52f09e28be1c060bb538f718bf220e7067aa.exe

  • Size

    258KB

  • MD5

    7799716e53f09fac3d4cba556618a732

  • SHA1

    deb1760e81a12ed8c9fa3a92370ca820c6c0d61c

  • SHA256

    4b5091e52699708fc45ad65ef75c52f09e28be1c060bb538f718bf220e7067aa

  • SHA512

    5a5dbbb98e27bae9a248330ab5e183ae65074dbf2867c407102240cb3310b2ffd9feebbd9bfe1984faa3ab8679de45edc4cb2117550acab118f4bfc71c87379a

  • SSDEEP

    6144:c1m0tgiC4bXqsTk90qC1AOb7eswf1Px++fD8PJ:c1m0qitXqsTkiR7twRx+gD8PJ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\4b5091e52699708fc45ad65ef75c52f09e28be1c060bb538f718bf220e7067aa.exe
        "C:\Users\Admin\AppData\Local\Temp\4b5091e52699708fc45ad65ef75c52f09e28be1c060bb538f718bf220e7067aa.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2516
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a531F.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Users\Admin\AppData\Local\Temp\4b5091e52699708fc45ad65ef75c52f09e28be1c060bb538f718bf220e7067aa.exe
              "C:\Users\Admin\AppData\Local\Temp\4b5091e52699708fc45ad65ef75c52f09e28be1c060bb538f718bf220e7067aa.exe"
              4⤵
              • Executes dropped EXE
              PID:2592
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2668
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2664
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2560
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2420

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  28959031896021bc7ca9f579de2cc456

                  SHA1

                  3577f294e56af20384c17c2e6b30043d3fb467ce

                  SHA256

                  f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec

                  SHA512

                  8ccc791701cbf875cff76feb50e78391fdc4375e0bd78c59111a657059e2f4c8c91b8603755bd5cfc1feb1abcc98b3eda6e3f810de8e8d60eb35090eecb21020

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a531F.bat
                  Filesize

                  722B

                  MD5

                  6e4d0da4427b68ab51f520a6a25010b1

                  SHA1

                  a1e4f38d959b8716767e0daa0fc5d3391b3059f6

                  SHA256

                  6d1740cc38c0c2ba4ab13a1e39709ed4da8de1d15941292db33b2fa827282061

                  SHA512

                  7ccb297ac41281b01fec975b789e0fe7ee3d5f3aed53495f51efbea07c8dd593ad8eaddc7367253f5cef5a85c4498d8068af6a91b96270b4438525517b1937df

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\4b5091e52699708fc45ad65ef75c52f09e28be1c060bb538f718bf220e7067aa.exe.exe
                  Filesize

                  224KB

                  MD5

                  d4b257c01bbaa68d15d8368475a4e227

                  SHA1

                  fafae083a882e163cfa8c77258baaab891c17df2

                  SHA256

                  dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546

                  SHA512

                  167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  d653755b31e8bfbb783ff1fcdeece501

                  SHA1

                  3854cb9ae22e332969f1f0393e5b78e2cfa8fce5

                  SHA256

                  1890193c8dfd409ebf0ba68a044b015ce0e8d2b369c7ca83a7062dd3904ac03d

                  SHA512

                  f1eb2080db955ae144b68e7afc3880ce7b88f45b686ca73eb022a6c7e6883fb1e47c027adb91bcaa7319cf427aa3ae3a68d891a64c8fd556bddf2a1ebba3d80b

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  108fdf573744a59e277323996400c0f6

                  SHA1

                  ef2455daeb8ca0208cae55e098524ee5a28db101

                  SHA256

                  cf34ef479883d417c78d4e5b3a1f7ed5d238644a5f27c7bf316cc8c3d00f2d15

                  SHA512

                  39da2234e2fcfe7cc622c810829f204f83b7f82cfc23c95edd38d82383e90e5005958689bcd0ec55dc51bb3e056293a2975fdf917bbbdedbcceedb9975648715

                  Download Submit

                • memory/1204-27-0x00000000026A0000-0x00000000026A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2224-15-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2224-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2224-16-0x0000000000230000-0x000000000026D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2576-19-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2576-31-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2576-2067-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2576-4049-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download