Overview

overview

7

Static

static

3

4766eed153...9c.exe

windows7-x64

7

4766eed153...9c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 13:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe

  • Size

    666KB

  • MD5

    8ba8471bbdfe45be94f00e6c46ceb3c0

  • SHA1

    044485dcb998b184800cfeb6544e93e8b05dc97c

  • SHA256

    4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c

  • SHA512

    9e7c184f64cab8bac9a7fe3b124aa892aec8b935efafcb6608f15795ace26e07b80ae2e189b61ce0129dedcba02ae01e8c18caac208c14837b5182a3be744a64

  • SSDEEP

    6144:A+aX3LdC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVg:A+aoPFlTz

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe
        "C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3044
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6EBA.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2284
            • C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe
              "C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe"
              4⤵
              • Executes dropped EXE
              PID:2596
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2508
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2644
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2844
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2916

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  ec71a61715110767626fe1094063291b

                  SHA1

                  1fd433c484e987ad74fb6dd5026e94eba029f62f

                  SHA256

                  e737572195b0c4d8df6f1211e324b97191d66ba2b409cfaa2dd07fd5b96a87f4

                  SHA512

                  61df3880ff6b71b5b2c522678a1ee69011a9387158e3956f6dd8db8e2c76113772fcf2b9979e27ee84d659925d3d44382d9d5da171dcdfb8a3b21c8034297d6f

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  f5cd7b35ea5f0009cdb5355dbc356066

                  SHA1

                  c06af0b31cdebdc4e31d57f448acb174e5be44b7

                  SHA256

                  472ce6c84e17f672782a003fa17f8d412c85a25675f83d16b1a1fb7bfc085f6d

                  SHA512

                  89573e495959ad60f4a4079248f3cfb6991b8c700223538a269d7553baaacd6de837f26cfe1a4f6a6c0940b8d758406ae2d9e85f2e5738371c9025ea699a7d28

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a6EBA.bat
                  Filesize

                  722B

                  MD5

                  90869a95c63805bbaf307b99437d97b5

                  SHA1

                  d1223ebf0d59c04414e72525044d000a53988f59

                  SHA256

                  38300e1df1fb3dca163cb0754800bda11f7b886b0399f18c5ac2be2d79309087

                  SHA512

                  ff64dd93eade2e9dcd2df7b69857dfa4dc85572677c0a7d1be918bf15bb6e746c8a00d863a89153747a705bbd9dc4ee9d5869ba9b7c78fa95c5762aee7ccaa03

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe.exe
                  Filesize

                  633KB

                  MD5

                  2e0d056ad62b6ef87a091003714fd512

                  SHA1

                  73150bddb5671c36413d9fbc94a668f132a2edc5

                  SHA256

                  cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

                  SHA512

                  b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  c4ec2631f0913b349423b6d2bd687a6b

                  SHA1

                  9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

                  SHA256

                  cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

                  SHA512

                  a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  eb2b82f341fdb4eae25ceb49373ed303

                  SHA1

                  cf7db5d16d0cdb9abd32cb4fe1e343e2296142b0

                  SHA256

                  8a35cc496890b7089f69f59dd7dd7fed74622e8ff18cf9f99d49c94aa5888c5a

                  SHA512

                  895d5f91dcdf77750063ec0b0112b643597bfcc87ddaa30f07864adeadf185ce062ead7699d964bd05135dcf034ca4028165ec95ab2e17b549c5faf2236f8982

                  Download Submit

                • memory/1412-27-0x0000000002570000-0x0000000002571000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2780-19-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2780-31-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2780-959-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2780-1836-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2780-2978-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2780-2999-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2780-4082-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3020-15-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3020-0-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/3020-16-0x0000000001C60000-0x0000000001C9F000-memory.dmp

                  Filesize

                  252KB

                  Download