Overview

overview

7

Static

static

3

ab3eead3ad...af.exe

windows7-x64

7

ab3eead3ad...af.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab3eead3adf05d30705ac1b104e1b16207cec33ca87c37e9eabc4b454f1063af.exe

  • Size

    258KB

  • MD5

    607348aab4e70fc28cf10668b0a736ac

  • SHA1

    cf1960317bd7ca0851fab8b297338ff16e4bbf32

  • SHA256

    ab3eead3adf05d30705ac1b104e1b16207cec33ca87c37e9eabc4b454f1063af

  • SHA512

    33c6b5f0b9a379cfeac73443aa68d57a929a87108dab65d4399e935db4b812b8030549c9aad544b72688ca66e6e05fce2aec222575eba40981d1e590e608035e

  • SSDEEP

    6144:t+aX3xFEgiC4bXqsTk90qC1AOb7eswf1Px++fD8PJ:t+axpitXqsTkiR7twRx+gD8PJ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1092
      • C:\Users\Admin\AppData\Local\Temp\ab3eead3adf05d30705ac1b104e1b16207cec33ca87c37e9eabc4b454f1063af.exe
        "C:\Users\Admin\AppData\Local\Temp\ab3eead3adf05d30705ac1b104e1b16207cec33ca87c37e9eabc4b454f1063af.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2084
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1526.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Users\Admin\AppData\Local\Temp\ab3eead3adf05d30705ac1b104e1b16207cec33ca87c37e9eabc4b454f1063af.exe
              "C:\Users\Admin\AppData\Local\Temp\ab3eead3adf05d30705ac1b104e1b16207cec33ca87c37e9eabc4b454f1063af.exe"
              4⤵
              • Executes dropped EXE
              PID:1580
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2828
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2932
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2596
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2524
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2696

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            5e01f5e16d8a2c1aa7aaf3bc93e86217

            SHA1

            e82b89ec82a105bfc6b9bc1e866c8f002d69eeea

            SHA256

            1f3c7ec1ef6da3e46c879fd2402e553fc1383d88a35f999a5db58cacec00ab39

            SHA512

            04b102ee281653d424f45dfd495d2122e6f5de412f8b32b945ba83d6d95740a928065d8aa2b7a60a51ac5523889ea5aee5f3c00e2a31d5ad5d9ed50bca3e47e2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a1526.bat
            Filesize

            722B

            MD5

            09d3b7d38e43cdcfaee2412984a71587

            SHA1

            8eec0d28b3c52813000f8c64e43b4fc672caf1ab

            SHA256

            e9f2f20069cad2e0dd4e762697c5fb980b11dad12c06f2aaecad58f0fef01684

            SHA512

            4bd1ae56c0667f642483e0ec148a4bcb0e14695676a4d9dfb7a73a819c59d832caeec11cd0b2211fcd14ced3864a79b815e190ee723bd0a182003e06f58a4eda

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ab3eead3adf05d30705ac1b104e1b16207cec33ca87c37e9eabc4b454f1063af.exe.exe
            Filesize

            224KB

            MD5

            d4b257c01bbaa68d15d8368475a4e227

            SHA1

            fafae083a882e163cfa8c77258baaab891c17df2

            SHA256

            dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546

            SHA512

            167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            fff1c0106e76fffebabed9d814d46a2c

            SHA1

            a7004deff995cc01c355485b705436391e89e4de

            SHA256

            d794474c27287dd4a38dd471be2813f297c94f501b45e0a3b1534d73888a5606

            SHA512

            18b9a28eb01f06d0d6593dd4de673140125d38609873938eede683a3f6c9ebba6e43a01ced2e298268b745bf4bdb808cb4070c33449686e770292301a41f5d7e

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            9B

            MD5

            7ef570b2b21e58fd906ef1a980d64425

            SHA1

            18502489f652e74f8972bbfa100d5c163d719ab7

            SHA256

            c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

            SHA512

            e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

            Download Submit

          • memory/1092-28-0x0000000002E20000-0x0000000002E21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2272-16-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2272-17-0x0000000000230000-0x000000000026F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2272-12-0x0000000000230000-0x000000000026F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2272-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2828-20-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2828-32-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2828-3319-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2828-4145-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download