Overview

overview

7

Static

static

3

a46aa5e8af...2f.exe

windows7-x64

7

a46aa5e8af...2f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe

  • Size

    497KB

  • MD5

    9dacbd16c744b80ac18ab1ba7240cbf3

  • SHA1

    b8a3e0dc23ecabe9eb5e3a942d1acf08ad7bcf25

  • SHA256

    a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f

  • SHA512

    ce406b5cb018e81d82be891a1842a257f01fd25fd92308c3ce39a9638b438551d804fe919460de0f090d8a698271fe83f9cd2e73e8768270e506247224760908

  • SSDEEP

    12288:u+azbvb1gL5pRTcAkS/3hzN8qE43fm78V:uBzb+5jcAkSYqyE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe
        "C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3664
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3564
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2904
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6E98.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5008
            • C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe
              "C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe"
              4⤵
              • Executes dropped EXE
              PID:2132
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3932
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1704
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2224
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2476
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4460

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            266a8decd1271ba104a9fff2eb37568f

            SHA1

            5fae11187d40c55a75f7174e4af12fef3e0a33a9

            SHA256

            25040ab6bb8ee761b351ca816cce03c80530b89aba11824a74326e84277e2aee

            SHA512

            15e0794324d0066c7cef77dc1f48441d2ddfa355a683c3a49cc6ead86399121122a49c449306330796600b7aa46679b20b9797e8e14aa2ef183102bd8dac304e

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            583KB

            MD5

            1fc45864b434b1740a433ce8eb0d7e29

            SHA1

            791372c8ab7efb7c0301d96f84889e246d4b4384

            SHA256

            c829fce99133b730c0d7e47f49768872a3f2fd6e782e462194427814f57d2699

            SHA512

            c3734916f06140072101a2faa1ba229d67c6f89731e464cf6f985617607053736cb429dcc6df1c42820c2fa054e9eb857b3eaf7170b4a18f1a56f7573f089ecb

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            649KB

            MD5

            e4b4c486987a76abb8a18c33b36514b5

            SHA1

            1c83216295cfc852c1a35198e31d8d385efd373a

            SHA256

            30f0474b455caa56bfb989bfcc04bb4db00f81857c28657f3fecf1dbcc6eb5dc

            SHA512

            f8532180a32b17153626d9879a93159132b2e10708e81aec83c995a8e9b642d5b6ccdd1db676c92302bdd5bb97726e670876490e97d65b27865ea7e72c8c4515

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a6E98.bat
            Filesize

            722B

            MD5

            165317eb2c09e472a0150a5b7b142204

            SHA1

            79366494cc167054c41a75be32d0665cb438f8d3

            SHA256

            7189119099099e81327160326914f4d000c350f53a4881af8f116e55bb8bea22

            SHA512

            4ec0c51ea8da0e716e0d5417b872dff5e80fb0b3a9f0809d9fef1609651dfeba2406174bdf24763b010ac4453d344eb67f3e820d8c07ce79083335ed5ea3070b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe.exe
            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            4ea1c860080808fe13e78caa0034c62b

            SHA1

            59e326df70ba545b4c443b9a4d4d4ecb725a0ede

            SHA256

            fef391543155b7d88565a03cdcb35eb2d9c44b22f3d4af8ef9fd0f48289f6958

            SHA512

            880bf02f0776da8fde359b6f71b05ed11947f507d44e461f23c55dbeabc54ce63325c877fac5dd2d31c5dad3feb0d81bf02f767ac238494ef7ca5c84ec354e6f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-711569230-3659488422-571408806-1000\_desktop.ini
            Filesize

            9B

            MD5

            3441ca64b7a268fd1abb0c149aa9e827

            SHA1

            977a6be7624a5ff4ea1de4f422b44b4974c17827

            SHA256

            fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99

            SHA512

            84d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848

            Download Submit

          • memory/3664-9-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3664-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3932-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3932-3036-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3932-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3932-8744-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download