Overview

overview

7

Static

static

3

c9e46f72c3...88.exe

windows7-x64

7

c9e46f72c3...88.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9e46f72c3fc30e8a87c150084525271024e303ae86c69f3781a11aca4275288.exe

  • Size

    970KB

  • MD5

    44f37bcb6733e5d1acb25855354d2329

  • SHA1

    d66c4a19017aaa034e34446c9d7d5dade358e2aa

  • SHA256

    c9e46f72c3fc30e8a87c150084525271024e303ae86c69f3781a11aca4275288

  • SHA512

    9209798230c8ed49bfe8b3f6f9db76f75f80db2fd1977754bceb8090834dde62e46e75582cfcabaf8a8283cb9a3588a970d970f41465b4d1116852e64012b6ab

  • SSDEEP

    12288:W+azbvURKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:WBzbRBpDRmi78gkPXlyo0G/jr

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1392
      • C:\Users\Admin\AppData\Local\Temp\c9e46f72c3fc30e8a87c150084525271024e303ae86c69f3781a11aca4275288.exe
        "C:\Users\Admin\AppData\Local\Temp\c9e46f72c3fc30e8a87c150084525271024e303ae86c69f3781a11aca4275288.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3032
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a71E5.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Users\Admin\AppData\Local\Temp\c9e46f72c3fc30e8a87c150084525271024e303ae86c69f3781a11aca4275288.exe
              "C:\Users\Admin\AppData\Local\Temp\c9e46f72c3fc30e8a87c150084525271024e303ae86c69f3781a11aca4275288.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2696
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2584
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2408
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2476

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            484KB

            MD5

            79d4fd1cb70f3844796aa1ea18a238e2

            SHA1

            78d207a7de2aeb85eefc185d894b0b7626e1e1f3

            SHA256

            ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b

            SHA512

            7a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a71E5.bat
            Filesize

            722B

            MD5

            d995dc88ec2c9a92d361bd6c8431fdc3

            SHA1

            8383e50a97b8994371bb5698f875fdc0a4c26162

            SHA256

            e28fe0ee70ce1a718d7dc8b58a1467ed9f9e942967476aff83424c165606c775

            SHA512

            82aed792c9151ab64979668bfd1109afbc204c8334bae878dd26ee199ec58b4a2a8c722decb498254a857805b78e5cf42d8fc37509ae16f1152961ce98729d28

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c9e46f72c3fc30e8a87c150084525271024e303ae86c69f3781a11aca4275288.exe.exe
            Filesize

            930KB

            MD5

            30ac0b832d75598fb3ec37b6f2a8c86a

            SHA1

            6f47dbfd6ff36df7ba581a4cef024da527dc3046

            SHA256

            1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

            SHA512

            505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            b358a6cac10ccc8c0ba6d33b809eb77a

            SHA1

            4b662ed65f5af865bf40925e0aacafc9a6e3a2cb

            SHA256

            b4c9ed18a1f2124fcc393b4779ebd601b36eba3bc6acaa565c532bab3aec694d

            SHA512

            a7d8b81673b74bafc0251a4a291b15774807612b566b7b5909369f964d08ce9e5671fab5ba5da0e1b479b4838d04d159ca7231da47f3b8d19b1d3b88ce6e85c1

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
            Filesize

            8B

            MD5

            35a8ee2041a708d5071bff39818311c3

            SHA1

            31114ee16a39b8ada4130a94c1c36ed74a563d2a

            SHA256

            b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

            SHA512

            f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

            Download Submit

          • memory/1392-29-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2888-32-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2888-1836-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2888-3466-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2888-4081-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3036-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3036-17-0x0000000000270000-0x00000000002AD000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3036-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3036-15-0x0000000000270000-0x00000000002AD000-memory.dmp

            Filesize

            244KB

            Download