Overview

overview

7

Static

static

3

e754d98314...e2.exe

windows7-x64

7

e754d98314...e2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 20:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e754d98314486475bcb77110ad6b8b63f1ebccd68fa0319f65d0a2cd4d7c8ce2.exe

  • Size

    66KB

  • MD5

    006ad69be27d59f1a0fd5b886f6ae00d

  • SHA1

    7f09c46bc6accbf3e6c556ebc59cd312d5448b6e

  • SHA256

    e754d98314486475bcb77110ad6b8b63f1ebccd68fa0319f65d0a2cd4d7c8ce2

  • SHA512

    42eca31e40e76d7b4a867a1f29a4ff0e4ba81672d06ba8c516cd23fc14d50362a167f1898db696921ae468d3c2f6ee1cff880b92ae3d138872f8cab7f8988d51

  • SSDEEP

    768:/qLPcTO5RroZJ76739sBWsNscWlM3dN9N3ZjfPPNC4OMMwP3Sy6EGyI4t6a9AkHu:/qbSe+Zk78NR3dN5nPNC4ayFGyHNXk

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1132
      • C:\Users\Admin\AppData\Local\Temp\e754d98314486475bcb77110ad6b8b63f1ebccd68fa0319f65d0a2cd4d7c8ce2.exe
        "C:\Users\Admin\AppData\Local\Temp\e754d98314486475bcb77110ad6b8b63f1ebccd68fa0319f65d0a2cd4d7c8ce2.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1932
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1DBE.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Users\Admin\AppData\Local\Temp\e754d98314486475bcb77110ad6b8b63f1ebccd68fa0319f65d0a2cd4d7c8ce2.exe
              "C:\Users\Admin\AppData\Local\Temp\e754d98314486475bcb77110ad6b8b63f1ebccd68fa0319f65d0a2cd4d7c8ce2.exe"
              4⤵
              • Executes dropped EXE
              PID:2708
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:384
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2444
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2400

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            3e2d3392a9d3ae3ed27661f81e853478

            SHA1

            fa8c023a3bff75e89ed39f5d4bfb5693d818ca8b

            SHA256

            09da8a31b7f420b9e4ed6d02e698bcc12a4f3efa46a53d1492a241a5784d44a8

            SHA512

            27652a29d728b92995b8ce46b150cd14baf5b65789591085ef3fa959dbc99efaa071b7a014ccaabeb6e84cdea642769dc98a7a1684afcda9be82dbb0b8d3fa17

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a1DBE.bat
            Filesize

            722B

            MD5

            0c48fe189ea0e0df3061354f10e1c3eb

            SHA1

            b55895a35a585c9972460807fbbd8905ebac9fbc

            SHA256

            24b00353c3a4d80c3b2201d45ba1cd6b2d0517a129661304a02e50db71c15e56

            SHA512

            b5ee812de5a8708566723c22cbfd050b6d1dcc87e0d139a44f17bb7e0aea8fda29be6c77efe86c3da92159fb2e383e9ea01497f505b9bd18f370cc867da22247

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e754d98314486475bcb77110ad6b8b63f1ebccd68fa0319f65d0a2cd4d7c8ce2.exe.exe
            Filesize

            33KB

            MD5

            bdbce90ce74990df3b2c7c8484dde146

            SHA1

            ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

            SHA256

            f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

            SHA512

            78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            3659e75ad8a2bdeef5f1d74aae41c2af

            SHA1

            95b2fa7bc2afbc1f412fc4285dbb6a15cc658a8a

            SHA256

            dbb4fdb10597cfb189203f72e75a2f2769a6960ed1acc1baa901742a344ae52d

            SHA512

            f19bbad48af80437f083d21cf89839bee9d30d50162df60a0d7c8205b646739332e55371f5d6c005f69681e41f00df936942c06f94f1a38c25084e438cac61e2

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            9B

            MD5

            e7957b9f3d9556c996418169821a7993

            SHA1

            b7028de0f91d2e50a8d5f6d23613331a2784a142

            SHA256

            71a21a13d7822776d52d9a6146651dc9155db9f0bfbd978acf43d12dea2a8539

            SHA512

            72bc8552047095449fa4c3c21300183acfc7b33e6ab69c11435542e2862cb9e896bbfdedaeb97ec6edac8ed68220507a302d1ed2217624c97f6e9a83c0d3a285

            Download Submit

          • memory/1132-28-0x0000000002590000-0x0000000002591000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2484-17-0x00000000002C0000-0x00000000002FF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2484-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2484-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2484-15-0x00000000002C0000-0x00000000002FF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2816-32-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2816-3319-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2816-4142-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.