Overview

overview

7

Static

static

3

dcb3eea7f0...06.exe

windows7-x64

7

dcb3eea7f0...06.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 17:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dcb3eea7f06f8ff16a8600809691cdda965411341b180f624264d1f8ee89f506.exe

  • Size

    47KB

  • MD5

    a8fc318e7b1589e0a401d0451c49d10a

  • SHA1

    f05e1e351c1e941b07f15da35830e65edb712b55

  • SHA256

    dcb3eea7f06f8ff16a8600809691cdda965411341b180f624264d1f8ee89f506

  • SHA512

    7ce4502977b06f2031bb033d7dd3497862aa13c3889166fe77dc58d632f865a9c1d2964ba439752261ef9a9f5d9a76a65de2a6fca9344f16a891a2cd8b281e2a

  • SSDEEP

    768:4uu6oO5RroZJ767395uINsEKeMy/t3QTM/OFcxPSiLqYJUukGdKETL4Ibq:4uue+Zk77RNtMy/tgTM/OqxPVhXRTlq

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\dcb3eea7f06f8ff16a8600809691cdda965411341b180f624264d1f8ee89f506.exe
        "C:\Users\Admin\AppData\Local\Temp\dcb3eea7f06f8ff16a8600809691cdda965411341b180f624264d1f8ee89f506.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1428
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7F4D.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Users\Admin\AppData\Local\Temp\dcb3eea7f06f8ff16a8600809691cdda965411341b180f624264d1f8ee89f506.exe
              "C:\Users\Admin\AppData\Local\Temp\dcb3eea7f06f8ff16a8600809691cdda965411341b180f624264d1f8ee89f506.exe"
              4⤵
              • Executes dropped EXE
              PID:2636
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2624
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2844
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2916

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  477KB

                  MD5

                  49d515b044bbad65c9307b89dd66e79a

                  SHA1

                  d0edd7c63488d72b6ba185eee80e63df89df6966

                  SHA256

                  c696990b3d0f156f8e572201d9ac44dd5a79c95235c9b84c2a8ffcd098789ebe

                  SHA512

                  aedd7b238961a154477d8704082691ab64a75f4c3bbb584ce55b62845b46b94dd2e39a1eb8939398f662db6cc504da9af788c054a4d054e683d02fcbad0d5d84

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a7F4D.bat
                  Filesize

                  722B

                  MD5

                  9328b61257ec3ba3e1863db24cb20494

                  SHA1

                  2cf050a7d1d926e9018b3c18aa82d6e3308a8bb0

                  SHA256

                  adedd45d95c2f37693a35d8d31033d29fd7e1bd3ba1f5af898f939d0a1e9a5cd

                  SHA512

                  e0ba891f5412bae402e9508f5c45119d89af67e30282d6989dcaf43f77105a6a3daa873f7258a9a95cb8841a3ab0413b338ce945578c45ab8b5ff6ea1ea3a745

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\dcb3eea7f06f8ff16a8600809691cdda965411341b180f624264d1f8ee89f506.exe.exe
                  Filesize

                  14KB

                  MD5

                  dc6311fbfd49f41fbf35860a30e68355

                  SHA1

                  b08b15be412e843acaf7ad5e6df0ef1e8bdb465c

                  SHA256

                  ffdf81680522029c2eb578a9f442fd9692900a5c782c711e35203fb2d25620ba

                  SHA512

                  5e2938f5a8396154928a7d093db3843d73497cea4f49c0f1b77e3aac6e29d1db7f0ad4518587c336f0dfccb67ff33aac8e12afa70503504c5d8d46d12a86e453

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  1eb46052207e9bdf5c8cc6aa7dcccf89

                  SHA1

                  37ed03cd7c2ccade09093134c6a2b6099d450227

                  SHA256

                  db79ee7697ddc2795271dd97e4910c9343f58758e913ba19df70e7a481555cda

                  SHA512

                  f4b0fdfebbbc9fa25563f2da3d6171cde29306ff5ac5ac024c05da231b3150c11dd52021162ba8f13926f6defa611968628bd776b9f4f8660c995915b43c9eca

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  a7058e06d084fd947f7dddc2897ebb22

                  SHA1

                  400bcc9cc3cbab99b910b4696cc0163ba8713226

                  SHA256

                  da0976fbb0588170763cb9b0d9b3ce23b0ff3e7cc146ecf1840a40e7655f1287

                  SHA512

                  4921df984df8d792e9cde40d30fd19e315b2af1b034966c6fc397ef92e3cb25cfa258400758277e9ec01b5609f3041ba42c8e5911b79eff5a08843a91ad9c9c9

                  Download Submit

                • memory/1412-28-0x0000000002560000-0x0000000002561000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2180-16-0x0000000000230000-0x000000000026F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2180-15-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2180-0-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-31-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-1483-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-1943-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-3249-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-3274-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-19-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-3343-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3028-4084-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download