Overview

overview

8

Static

static

3

0527f89ac0...a9.exe

windows7-x64

8

0527f89ac0...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/05/2024, 07:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0527f89ac0cbe4a36c3ec73afe8be84967edf526a49e1bde1437025d6523f0a9.exe

  • Size

    577KB

  • MD5

    65321b45c11d2f1ae2ef5b3e508e99db

  • SHA1

    6ab49fa25966d5dbb6e6209ad3a4686cf6aad44d

  • SHA256

    0527f89ac0cbe4a36c3ec73afe8be84967edf526a49e1bde1437025d6523f0a9

  • SHA512

    f3f868de4a43973d232b6f54f2b15cf7643a48c80dac64be08c5ba2e0e6ca31c8c1843cabdb7fd48c2a2b798a03cd7c80fe86d8fed9035f5553df195cdbd5488

  • SSDEEP

    6144:yf46tGdye419E7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQC:e3NbI7a3iwbihym2g7XO3LWUQfh4Co

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\0527f89ac0cbe4a36c3ec73afe8be84967edf526a49e1bde1437025d6523f0a9.exe
        "C:\Users\Admin\AppData\Local\Temp\0527f89ac0cbe4a36c3ec73afe8be84967edf526a49e1bde1437025d6523f0a9.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1852
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a22EC.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\0527f89ac0cbe4a36c3ec73afe8be84967edf526a49e1bde1437025d6523f0a9.exe
              "C:\Users\Admin\AppData\Local\Temp\0527f89ac0cbe4a36c3ec73afe8be84967edf526a49e1bde1437025d6523f0a9.exe"
              4⤵
              • Executes dropped EXE
              PID:2560
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2552
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2748
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2616
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2492

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  0a2f7bc5d2f3b1abbf852f12ac72d39f

                  SHA1

                  3ed5d15e03f4a79247638844b8e938794445bfde

                  SHA256

                  c2eadf7bc1b2c55782d5307c4bfdc59f4c900494b9a624e199c675b582a13d7c

                  SHA512

                  8c47195b5c79359b6e7c5088d1a2c757ce6a1f16dd61c4c4d0bb7baafba4135c7a64541ce7a3af55b65f83af3df2677ff6f63f9c80fdfb1f7696d54c4609d63d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a22EC.bat
                  Filesize

                  722B

                  MD5

                  1e4d3fc006b9a79f0dff103344f0c457

                  SHA1

                  14e03648923a7cc2d88ae61d1f2a75c3add0e4b0

                  SHA256

                  034bc65b783c936e5d00000c17019270d1dfa1c3cc6b8a2b64385ad07c742b22

                  SHA512

                  e7c9a2b72be94a8715d74befa8d85f3f9a9ba59cf83abe8f725b54c4353d6c1a63ba001d53422449e756d8e2552002f1dedf158986fc3fd8128eab99fdda82dd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\0527f89ac0cbe4a36c3ec73afe8be84967edf526a49e1bde1437025d6523f0a9.exe.exe
                  Filesize

                  544KB

                  MD5

                  9a1dd1d96481d61934dcc2d568971d06

                  SHA1

                  f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

                  SHA256

                  8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

                  SHA512

                  7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  8c9e7eefdd62f19108ae9e444ad2c208

                  SHA1

                  e40870610792bb8e4e835787634a0ac9a8daff3e

                  SHA256

                  1cffa0d883a8763fd15280a4148775ddf3789857a2df269c9425f41095b83a92

                  SHA512

                  92e4fb044d706550c0e833318e8d732ee3130c78ea198530fbbc604f34ef41cfc9b53b8fc60bfdbbe61afde60fbf3a9e528fbc1ae14eac6226d9b5966367b292

                  Download Submit

                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  832B

                  MD5

                  7e3a0edd0c6cd8316f4b6c159d5167a1

                  SHA1

                  753428b4736ffb2c9e3eb50f89255b212768c55a

                  SHA256

                  1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

                  SHA512

                  9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  4b4dbd7e2fe4189c8136069a10e1698a

                  SHA1

                  e4e6e1e80d1fe41d20456173c522d8e7affc4579

                  SHA256

                  f00f66ba8f3341c7ae8e3c7741a1ff31e522c75580afa9793dcaee17488ccf5b

                  SHA512

                  2be5b324ef5d951c5e66d692c26f813e0fdd76cb4ef01a9abf38e5f7837f649e0194f7f5c55b1cfd79a9d253031ace5b270fc50f6c11f1885e85f9a874380d8c

                  Download Submit

                • memory/1196-29-0x0000000002E10000-0x0000000002E11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1628-0-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1628-18-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2632-19-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2632-33-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2632-2995-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2632-4103-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download