Overview

overview

7

Static

static

3

159fe19f34...30.exe

windows7-x64

7

159fe19f34...30.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2024 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    159fe19f3491d9bc1336127e1bd12bf0a3689868bb011a2298d062a2c6d92930.exe

  • Size

    723KB

  • MD5

    7e87022bc9bb33f187d8ee2d24d5e990

  • SHA1

    fbf5f08d9e8025c745599695940c3d425e1618ae

  • SHA256

    159fe19f3491d9bc1336127e1bd12bf0a3689868bb011a2298d062a2c6d92930

  • SHA512

    a4df708238220634e0085d0f43554ee44d1d2a4c2cc8bbbf424e964ac0505e2fc41bbcd6628fd629fac5ce450abfac97cb61b6a9dc0c346edd7f08abe1268c9c

  • SSDEEP

    12288:P+affC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:PB3LOS2opPIXV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\159fe19f3491d9bc1336127e1bd12bf0a3689868bb011a2298d062a2c6d92930.exe
      "C:\Users\Admin\AppData\Local\Temp\159fe19f3491d9bc1336127e1bd12bf0a3689868bb011a2298d062a2c6d92930.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:2364
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4940.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Users\Admin\AppData\Local\Temp\159fe19f3491d9bc1336127e1bd12bf0a3689868bb011a2298d062a2c6d92930.exe
            "C:\Users\Admin\AppData\Local\Temp\159fe19f3491d9bc1336127e1bd12bf0a3689868bb011a2298d062a2c6d92930.exe"
            4⤵
            • Executes dropped EXE
            PID:2628
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2256
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2616
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2716
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          264KB

          MD5

          398a7064313570d5e852fb87febbf03f

          SHA1

          117d0ca007b73a8c7115f8880f54540e37ff7490

          SHA256

          30429016be8ea9e22585980572b4b2af1ddabb9cba93e9222a231f4d95353751

          SHA512

          e96c03db73e0b3d86b6a51fcc20f4b131116b1c2a649030b8f13d60d207944bd4ec1fe734c32e3f390d454dad3f6ad780ff52209c56852cc4456559102f01c80

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          484KB

          MD5

          ed07588854ba117151a141b0a96bda37

          SHA1

          78c58f4e85e9d9d4e39c230f1354e183f87bdd9e

          SHA256

          fb97be2678ad28fef1f9f5a651fe12123ebea998adbb7f96b7073612990aa7d8

          SHA512

          45487252c6da9155a3a017c5030425e80dc6fb44d88efd470179f4c9b5b7e91d0785be70d458c5c64247abf2763e514bf07989608f9307084306e65f3d76f579

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a4940.bat
          Filesize

          722B

          MD5

          f37161003b076250fd99588490be9810

          SHA1

          79bbeccdb4fd0f855f6d1c124abd4149ae6a014c

          SHA256

          4e0d56752373ff0cb05761f3635b4fd20a8269c2e0853ce30b5d91f638d55baf

          SHA512

          0ff6c651c8509e9d2adcccc539dbabefb735108307b2e072023cbae4a4a0e631582cbc1aef5e01d26dec0e74262e5475d6f35eeabc4644c8c83622fe5b800a6d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\159fe19f3491d9bc1336127e1bd12bf0a3689868bb011a2298d062a2c6d92930.exe.exe
          Filesize

          684KB

          MD5

          50f289df0c19484e970849aac4e6f977

          SHA1

          3dc77c8830836ab844975eb002149b66da2e10be

          SHA256

          b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

          SHA512

          877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          39KB

          MD5

          0209d825c40705a1752ceecc4fe453c6

          SHA1

          875b45703ab4a4f9b7b13c16277b235d43f075ef

          SHA256

          0fbeb3b115479ea9f34e86e511238d235b942922660740d37e9f249b4e3fdf1e

          SHA512

          b88b1ba93382a3a6fe4253a0c8fe69baa02a0c0dd74b2e6c79d7688f5c16be144676bb7bd3e061be96603148738845fddd05bbd4782d3abcb0bf495c1c96aa40

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini
          Filesize

          9B

          MD5

          02ced53ce3f5b175c3bbec378047e7a7

          SHA1

          dafdf07efa697ec99b3d7b9f7512439a52ea618d

          SHA256

          485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

          SHA512

          669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

          Download Submit

        • memory/1416-30-0x0000000002700000-0x0000000002701000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1636-1841-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1636-34-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1636-19-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1636-92-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1636-1858-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1636-3324-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1636-3327-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1636-4086-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1740-15-0x0000000001C90000-0x0000000001CCD000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1740-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1740-20-0x0000000001C90000-0x0000000001CCD000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1740-16-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download