Overview

overview

7

Static

static

3

12d15bb829...16.exe

windows7-x64

7

12d15bb829...16.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    160s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2024 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe

  • Size

    156KB

  • MD5

    3fb7eac74e6998f4ad180de9b6379209

  • SHA1

    74d860e071eb0db89eaa92c4b81a218fe4ffe5d6

  • SHA256

    12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116

  • SHA512

    1ee6b41df5bf16c3d1bedffcb8aa00967aef8ea25a821d484e4f75932dd90075444f29fa3b4ba16e00635f0d0b5ade6a68b280f93f5d412daf064da2ed07d270

  • SSDEEP

    3072:84Ye+azbRPrlr9RXFHmZWXyaiedMbrN6pnoXPBsr5Zrt:Td+azbRZv5SNaPM4loo5Z5

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3300
      • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe
        "C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4576
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3532
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a47A3.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3484
            • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe
              "C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe"
              4⤵
              • Executes dropped EXE
              PID:4436
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4028
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:5044
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4780
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2436
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:3844

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              264KB

              MD5

              32b6aa604bd02727e84d7952721f055a

              SHA1

              3cf3d7eb354b0dac52465fc69071e90a4412607c

              SHA256

              cf99dc814df2ed704b1676e80f7a219474ac8b95c64d28b84b206a6bf7ed9bca

              SHA512

              b1e1c29ce4589a5e30932c7543e1ea80b52faac234f352081a40d57e68ef385b563874ed5b142ed94c4accf889615b8c0678f43df50dca04195429014ce6df1e

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              583KB

              MD5

              0f94052219e229be47ace8002caf43a7

              SHA1

              dc1b614692dcda7611ea11c89af3f93b9ebeeb5f

              SHA256

              f31750dc176b3562111fa441d4bf540f330caa9ff264f2009911a951c8d32358

              SHA512

              045be9d58d79f26e3ef90aaeed60f31f36055bb8ce03c365d8fc1f52d30e7db7880cb1daf42bc60ffdd4dd6dc01ede18b3f977cefc935eede27685d777e54960

              Download Submit

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
              Filesize

              494KB

              MD5

              1b817b54adfc26cf7040cf6cf292d1da

              SHA1

              2f0ab6c15c9e98b86ef9ec7018244ee9b30a8e9c

              SHA256

              d3009c1cc3dea487478340c9c95eb10bff9d668b8307610ccca19ad865bfb08e

              SHA512

              08bcdaae2b2272453aa74669e2b95b221e588ad75421e936454c167155d58e3afa6ca1a5f2a5457130907b4df51217634bcddb18d7427bd4051124e84d280b74

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a47A3.bat
              Filesize

              722B

              MD5

              6a1daeb532daf41e1fc06be793a69d34

              SHA1

              557908b39d6dc1198a4e14ea60513bea8eab820b

              SHA256

              48e91cf50e1e02cbc7f1f3a5ae8b5b7e4d338c9501c8be3e8183bbaa93101d9b

              SHA512

              6a2d40e8782d5cc6f33bfb71a81a147baa03a0eabdc81ae26037fd4697b0d98c507ceeb710aedbfb0d633c37adc785dab6c8a27de83afaa8b3f6f5f4f9fd7846

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe.exe
              Filesize

              116KB

              MD5

              14260726256d54de6ccb2eff1003c05c

              SHA1

              073c85b1d5dade530694ef00543698f16d39fd45

              SHA256

              3970359aee5c8cb9451c2c84ae6d4c859999a40ae955d8ade9abacba215a087a

              SHA512

              8bf2d18c0bc4cb42af52ff223199f3504caf73e99fd49dd489306d79364c57d2b5d61039d83cebf898aedc825ab52397613b498aa49b6714fb4fe485112b7d7d

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              39KB

              MD5

              3db42405aac4c2f3aee890c3c249f126

              SHA1

              8d92453ccd9af94d51702bfd28b191b295d1c4c8

              SHA256

              1f48a0595daf780a6e51817d85f7ca6c0d4257c1bb74682f3be2676ab1d0461d

              SHA512

              d555cd0ef14d2f3ef38282244ec1e674fdc3a73ea56e791d7795a78b465486dda3697cdbeab1d2c11e3ea1a000eabb7f92258ac93dfc7d43aa5b85f054ff11a7

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
              Filesize

              9B

              MD5

              f29b71f66ac42a28a8d1e12a13d61861

              SHA1

              bd61fbc8b6eed4cae3fa29d7b950784258be10cd

              SHA256

              9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

              SHA512

              90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

              Download Submit

            • memory/4812-66-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-1728-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-11-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-7320-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-190-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-421-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-874-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-18-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-2471-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-4004-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-5549-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4976-9-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4976-1-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4976-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download