Overview

overview

7

Static

static

3

4766eed153...9c.exe

windows7-x64

7

4766eed153...9c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 13:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe

  • Size

    666KB

  • MD5

    8ba8471bbdfe45be94f00e6c46ceb3c0

  • SHA1

    044485dcb998b184800cfeb6544e93e8b05dc97c

  • SHA256

    4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c

  • SHA512

    9e7c184f64cab8bac9a7fe3b124aa892aec8b935efafcb6608f15795ace26e07b80ae2e189b61ce0129dedcba02ae01e8c18caac208c14837b5182a3be744a64

  • SSDEEP

    6144:A+aX3LdC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVg:A+aoPFlTz

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe
        "C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4768
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2228
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EF6.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe
              "C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe"
              4⤵
              • Executes dropped EXE
              PID:2252
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4400
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1132
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2832
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4972
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1604

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  ec71a61715110767626fe1094063291b

                  SHA1

                  1fd433c484e987ad74fb6dd5026e94eba029f62f

                  SHA256

                  e737572195b0c4d8df6f1211e324b97191d66ba2b409cfaa2dd07fd5b96a87f4

                  SHA512

                  61df3880ff6b71b5b2c522678a1ee69011a9387158e3956f6dd8db8e2c76113772fcf2b9979e27ee84d659925d3d44382d9d5da171dcdfb8a3b21c8034297d6f

                  Download Submit

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  5ac4056f9d0b3bd588671434ead1c17f

                  SHA1

                  9d3e0e6c41fe202d78ac7adc0c26c0a5d27b5d9c

                  SHA256

                  ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411

                  SHA512

                  12955c0c491b2f4b5343ba8d64ac9c08eaa77cb5b84929b36fd9efde7e241dd1553d3175fb39d1f4f9a9cb9e1242f501df3943788977fb06b0d30871ba5330d2

                  Download Submit

                • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
                  Filesize

                  488KB

                  MD5

                  629c52705e4b56528fd0a9bd0ef3b26b

                  SHA1

                  8195ef6b90f8893c88887c763bf399cde1787b26

                  SHA256

                  4d1c2cdbf0684ef3ea3fc7123812b007687ded0a679275e5ea50f1d936a6fe3d

                  SHA512

                  0ea13e8f6c5d3b8e28a002c672f20d626e1ae1f8fb0162690961b2b94b49c6590f20ae50dd018f41b1947161ac62e63fa56b1e2aca5ee7335c3d9b7747817e0f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a6EF6.bat
                  Filesize

                  722B

                  MD5

                  04fdc6e8eda8cc0969e4bd8961edeedd

                  SHA1

                  6670a350d5b560f1ea39f0c9f7ca347dd3183da0

                  SHA256

                  cbe7d8cfb9ca006aee4481acadffc70206f8bdfcc8f459e52e9e1dedbcac8c20

                  SHA512

                  9ae4a6d757a9f0f7473565d4c686258b9aa95b5c126761af3c4f79d001045190c1a3e86ab4278f76192bf67eec9f667165dd668f41416aa5736736b4495f390a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\4766eed153734646b8c3ba33a06dc74f86160aa3c62fb576d366d64d1b40f79c.exe.exe
                  Filesize

                  633KB

                  MD5

                  2e0d056ad62b6ef87a091003714fd512

                  SHA1

                  73150bddb5671c36413d9fbc94a668f132a2edc5

                  SHA256

                  cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

                  SHA512

                  b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  c4ec2631f0913b349423b6d2bd687a6b

                  SHA1

                  9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

                  SHA256

                  cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

                  SHA512

                  a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  eb2b82f341fdb4eae25ceb49373ed303

                  SHA1

                  cf7db5d16d0cdb9abd32cb4fe1e343e2296142b0

                  SHA256

                  8a35cc496890b7089f69f59dd7dd7fed74622e8ff18cf9f99d49c94aa5888c5a

                  SHA512

                  895d5f91dcdf77750063ec0b0112b643597bfcc87ddaa30f07864adeadf185ce062ead7699d964bd05135dcf034ca4028165ec95ab2e17b549c5faf2236f8982

                  Download Submit

                • memory/2608-10-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2608-0-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4400-17-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4400-1360-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4400-9-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4400-5588-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4400-8644-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download