Overview

overview

7

Static

static

3

f3a583e1a1...55.exe

windows7-x64

7

f3a583e1a1...55.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2024 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3a583e1a14257aa4f48db018981f0cbabdca3e70e2c0315313203ce08ccb655.exe

  • Size

    5.7MB

  • MD5

    a87bee4da1eef368e329fd35e2284611

  • SHA1

    15202f6d9b2bf752df98b529786ae9540dcb22a7

  • SHA256

    f3a583e1a14257aa4f48db018981f0cbabdca3e70e2c0315313203ce08ccb655

  • SHA512

    a31fa0144c41620746363734e48d7bc082a38190feefcf46292399f21417a09c340e05451aac742b8f751346f7d983d4c81835cff41dc914962d6022129f7024

  • SSDEEP

    49152:2BBPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTP:27KUgTH2M2m9UMpu1QfLczqssnKSk

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\f3a583e1a14257aa4f48db018981f0cbabdca3e70e2c0315313203ce08ccb655.exe
        "C:\Users\Admin\AppData\Local\Temp\f3a583e1a14257aa4f48db018981f0cbabdca3e70e2c0315313203ce08ccb655.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1512
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2580
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4026.bat
            3⤵
              PID:4360
              • C:\Users\Admin\AppData\Local\Temp\f3a583e1a14257aa4f48db018981f0cbabdca3e70e2c0315313203ce08ccb655.exe
                "C:\Users\Admin\AppData\Local\Temp\f3a583e1a14257aa4f48db018981f0cbabdca3e70e2c0315313203ce08ccb655.exe"
                4⤵
                • Executes dropped EXE
                PID:872
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4820
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3108
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3952
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2856
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:3308

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
              Filesize

              257KB

              MD5

              5827932cc6763922d2f1271f6003024e

              SHA1

              95c7986614bc4f5c76ef9f9378d03f2fc6f0d25f

              SHA256

              3cbf27a3b414117a3eeb4adf1bace0c540b23d73a734974dd085aa88cb142143

              SHA512

              1aa3e201e51df2d214f80ecbc67d34c1e8b308aff3348e7c2261dc86dec83c7516fa97084b88f3997576408e2ee7aadc3e2c387d15ce696f5e59040d513009f1

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              583KB

              MD5

              68968747f17cbc8b43b407b148df2ef0

              SHA1

              4e230eb64bc80df172f674b1c49241fdb82bfdc0

              SHA256

              c1b2ca011ebe00792f26980439e19a5f349132fe213562b9fd6d30cb43a842e0

              SHA512

              ab4381828ddd9c621d13a0d705b18cd783ca390e46da0c929f8e92d9066c424c6fece9005151d3dfbcbdc90b92ccd88a8408b1a3cead1a9c0e0580479331714f

              Download Submit

            • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
              Filesize

              649KB

              MD5

              ac21b647efb588b12666898144a436f2

              SHA1

              6100361b9a0dd6e26c1bafdad1802bcd4f9c8660

              SHA256

              80dc937367e321b8c5fd893c4e8eccc77bfbbe6169a287fa208f344ed3be9cd4

              SHA512

              f7da1cfb3646fdc7b2630a51cb5c5d640e2d50ded6254d4be0635e2d6b5547bfc4bd9652d9f365d6f362b7bc35a9b1d2f2ea15672e3bc335981fc125a216c790

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a4026.bat
              Filesize

              722B

              MD5

              5afac0eb6843736f5b1d5a41f155129f

              SHA1

              dcc60aae52cf1bff4ff174e4aad74c606291a3f0

              SHA256

              9afe388049b0d1ccd42de79ece8c7dff358721887d490622deabda35cf07682f

              SHA512

              b01671dbfc861875a4b938ffc7c897ce906642a51eb5f20e6d3f59bff3e2893b30a8e95fecc2bd0eade1d571c270ca56676701e712b3c392f99fa49904b551e4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\f3a583e1a14257aa4f48db018981f0cbabdca3e70e2c0315313203ce08ccb655.exe.exe
              Filesize

              5.7MB

              MD5

              ba18e99b3e17adb5b029eaebc457dd89

              SHA1

              ec0458f3c00d35b323f08d4e1cc2e72899429c38

              SHA256

              f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

              SHA512

              1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              39KB

              MD5

              6b310f4f06625eea7e7dc0d202b54785

              SHA1

              3bbe4c3438f73714d8b65175c3c23073203ab92e

              SHA256

              d294d9d69493d6af1c4d0eb5e4be608389e22699590fe8a366974ef278f9ffbd

              SHA512

              6bfd6711e2308b08e35a6976be0aa90de4a0bbabd4602f07cba8854de445d2e0c1198956183a58e4a69c97e54fae9b57f7962422b129b2d0b14eb872564fc29c

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\_desktop.ini
              Filesize

              8B

              MD5

              35a8ee2041a708d5071bff39818311c3

              SHA1

              31114ee16a39b8ada4130a94c1c36ed74a563d2a

              SHA256

              b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

              SHA512

              f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

              Download Submit

            • memory/1352-9-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1352-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4820-18-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4820-2900-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4820-11-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4820-8777-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download