Overview

overview

10

Static

static

3

6112e6f882...fa.exe

windows7-x64

10

6112e6f882...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 04:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6112e6f882c52e02766b9cbc62fe0c30f9db5261b6c1083d68b39f86bf20e6fa.exe

  • Size

    1.1MB

  • MD5

    017de9183d3b48cadd3a0fe82bf0dc6a

  • SHA1

    b64e2d081360e58ba113cf8c535c927cdf82a4c5

  • SHA256

    6112e6f882c52e02766b9cbc62fe0c30f9db5261b6c1083d68b39f86bf20e6fa

  • SHA512

    1001c655665e592571c332dc3b19e53d12e8130afc403d21fc26e0651d701f554ee95129fc18710a420037322ddc040e77e826939b9ec3b8b94f16cb3a570079

  • SSDEEP

    1536:j+fejdMv0stxLSikn5ivVfLx1F2vH1cigK0dl222222222UgiaucigK0dl22222B:jGej0ntxLS8vlLxWmiglZaTiglZaTp

Score
10/10
evasionpersistencespywarestealer

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\6112e6f882c52e02766b9cbc62fe0c30f9db5261b6c1083d68b39f86bf20e6fa.exe
        "C:\Users\Admin\AppData\Local\Temp\6112e6f882c52e02766b9cbc62fe0c30f9db5261b6c1083d68b39f86bf20e6fa.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3F51.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Users\Admin\AppData\Local\Temp\6112e6f882c52e02766b9cbc62fe0c30f9db5261b6c1083d68b39f86bf20e6fa.exe
            "C:\Users\Admin\AppData\Local\Temp\6112e6f882c52e02766b9cbc62fe0c30f9db5261b6c1083d68b39f86bf20e6fa.exe"
            4⤵
            • Modifies visibility of file extensions in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:2548
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2572

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$a3F51.bat
        Filesize

        722B

        MD5

        2d09076afe7635955b8f2170199420f9

        SHA1

        28065845fcbb1ba19d167a3870a372e243225923

        SHA256

        2835917ef4973f48cf14d59b4692d875eecd838980f47ca0f13236dea4f711b5

        SHA512

        7f196de72c7f8ed049ebf64f8501d8a2d3e5a4d0f1b5b2b3ccb6420b406c7a42e931f5dd4fb7f74fa9ef5c0b9004c62ca079d61c8a67f61a8d61dd30e8f29552

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6112e6f882c52e02766b9cbc62fe0c30f9db5261b6c1083d68b39f86bf20e6fa.exe.exe
        Filesize

        1.1MB

        MD5

        46d2b1d328321c194da464004b097ad2

        SHA1

        cae29c03b33eb60aa806df51419e6d757135b436

        SHA256

        a12e2f46dbafea8dcc3cdd8340635374a3d2bf710e172d16a9a1bc7f0f154809

        SHA512

        1a35c9719d3e9738878026eef1a20467c83f7efd740c4b3d25f9f9b8386b0ab56244921edf1f65eaeeb538cfbf592a8106813d7f262ce85fec0de3b9e24dc42d

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        42KB

        MD5

        d42da36a94a22a4878e91a25341b16c2

        SHA1

        83af016b774674b1db5a4b60b46fe4d2914606bb

        SHA256

        736b504b4e171f75c5690b224b2136ed502949657ad5723035931c4275265c5f

        SHA512

        6ce1e27f72df62826d3e5c6e48f63dc0923937eb287685463a44738914ece0754703bab8cf8d12f1d9ce4260600db65a266ccbf9ba044ffde3c40599463014a8

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\_desktop.ini
        Filesize

        9B

        MD5

        2be02af4dacf3254e321ffba77f0b1c6

        SHA1

        d8349307ec08d45f2db9c9735bde8f13e27a551d

        SHA256

        766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

        SHA512

        57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

        Download Submit

      • memory/1208-35-0x0000000002B40000-0x0000000002B41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1980-0-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1980-16-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2548-33-0x0000000000400000-0x0000000000489000-memory.dmp

        Filesize

        548KB

        Download

      • memory/2548-28-0x0000000000400000-0x0000000000489000-memory.dmp

        Filesize

        548KB

        Download

      • memory/2956-26-0x0000000000400000-0x0000000000489000-memory.dmp

        Filesize

        548KB

        Download

      • memory/2956-25-0x0000000000400000-0x0000000000489000-memory.dmp

        Filesize

        548KB

        Download

      • memory/2988-39-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2988-20-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2988-2600-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2988-4251-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download