Overview

overview

7

Static

static

3

d0764a0ce2...9e.exe

windows7-x64

7

d0764a0ce2...9e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/04/2024, 19:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d0764a0ce2f685c53c0cd8d7d98ff032f627806eb762e89d7d4c0cffe18fc59e.exe

  • Size

    81KB

  • MD5

    b39f34573e21c7a4cf1441db26d724e5

  • SHA1

    871a97da79e858816beb3a767b9d496332f4df4f

  • SHA256

    d0764a0ce2f685c53c0cd8d7d98ff032f627806eb762e89d7d4c0cffe18fc59e

  • SHA512

    c6a1e83d7b64c280321015884061a8c9a7811316e16bc012392a556921e705631ee603ba90a42093b0fbede9e710bffa48e54f5d2c2c7f73c3a897ee44b8b3a9

  • SSDEEP

    1536:84KFe+Zk7VJbwlYXjPrsqrZMYR5p8wwEToa9D4ZQKbgZi1dst7x9PxQ:84Ye+azbRPrlr9RXFIlZQKbgZi1St7xQ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\d0764a0ce2f685c53c0cd8d7d98ff032f627806eb762e89d7d4c0cffe18fc59e.exe
        "C:\Users\Admin\AppData\Local\Temp\d0764a0ce2f685c53c0cd8d7d98ff032f627806eb762e89d7d4c0cffe18fc59e.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2076
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1017.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Users\Admin\AppData\Local\Temp\d0764a0ce2f685c53c0cd8d7d98ff032f627806eb762e89d7d4c0cffe18fc59e.exe
              "C:\Users\Admin\AppData\Local\Temp\d0764a0ce2f685c53c0cd8d7d98ff032f627806eb762e89d7d4c0cffe18fc59e.exe"
              4⤵
              • Executes dropped EXE
              PID:2576
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2256
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2212
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2764

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  264KB

                  MD5

                  32b6aa604bd02727e84d7952721f055a

                  SHA1

                  3cf3d7eb354b0dac52465fc69071e90a4412607c

                  SHA256

                  cf99dc814df2ed704b1676e80f7a219474ac8b95c64d28b84b206a6bf7ed9bca

                  SHA512

                  b1e1c29ce4589a5e30932c7543e1ea80b52faac234f352081a40d57e68ef385b563874ed5b142ed94c4accf889615b8c0678f43df50dca04195429014ce6df1e

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  484KB

                  MD5

                  79d4fd1cb70f3844796aa1ea18a238e2

                  SHA1

                  78d207a7de2aeb85eefc185d894b0b7626e1e1f3

                  SHA256

                  ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b

                  SHA512

                  7a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a1017.bat
                  Filesize

                  722B

                  MD5

                  ddfa22b09d2b0b3e369e2c6ca99ef9d8

                  SHA1

                  adc7960b863cc1d16a86fc9ddc9b5ccb146eb396

                  SHA256

                  5682fb58fc902ee8deff61fb8aa6d0dfbf762bf4c0bc73f5f39ddeeeb1435f41

                  SHA512

                  2a2996a8b0225156f40ed1f5257783f96bd41f9908bd2725aec8efa466929abb6a1212260a86de418d418f76b85be5c25ca9367db2e91a84c32ef6554f99ef74

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\d0764a0ce2f685c53c0cd8d7d98ff032f627806eb762e89d7d4c0cffe18fc59e.exe.exe
                  Filesize

                  41KB

                  MD5

                  977e405c109268909fd24a94cc23d4f0

                  SHA1

                  af5d032c2b6caa2164cf298e95b09060665c4188

                  SHA256

                  cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

                  SHA512

                  12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  39KB

                  MD5

                  3db42405aac4c2f3aee890c3c249f126

                  SHA1

                  8d92453ccd9af94d51702bfd28b191b295d1c4c8

                  SHA256

                  1f48a0595daf780a6e51817d85f7ca6c0d4257c1bb74682f3be2676ab1d0461d

                  SHA512

                  d555cd0ef14d2f3ef38282244ec1e674fdc3a73ea56e791d7795a78b465486dda3697cdbeab1d2c11e3ea1a000eabb7f92258ac93dfc7d43aa5b85f054ff11a7

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  f29b71f66ac42a28a8d1e12a13d61861

                  SHA1

                  bd61fbc8b6eed4cae3fa29d7b950784258be10cd

                  SHA256

                  9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

                  SHA512

                  90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

                  Download Submit

                • memory/1204-27-0x0000000002980000-0x0000000002981000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1396-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/1396-16-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/1396-17-0x0000000000310000-0x000000000034D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2600-19-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2600-31-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2600-3318-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2600-4133-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download