Overview

overview

7

Static

static

3

d4f43c5616...b6.exe

windows7-x64

7

d4f43c5616...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4f43c5616ce0695d303103e4e9e446a6a756b4f1b8c569aa2e20da2a47ab7b6.exe

  • Size

    66KB

  • MD5

    3f9c2a945b4cc81d677874066edc4ef5

  • SHA1

    2944b7ae1df1e60a83dc148b577647fbf6c20987

  • SHA256

    d4f43c5616ce0695d303103e4e9e446a6a756b4f1b8c569aa2e20da2a47ab7b6

  • SHA512

    9a4d19be4755145b8efdea55a8439126abd9b96fa78d9892b7099655ab087d278871ee2e66b906e3c8282535754898593dfe7ff83a97b43f2203470f61f953d9

  • SSDEEP

    1536:Ig8Ze+Zk77RNzLiTOwiS4qz0XSW3iG47fy:Igae+aX3zvZS4qz3G47a

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\d4f43c5616ce0695d303103e4e9e446a6a756b4f1b8c569aa2e20da2a47ab7b6.exe
        "C:\Users\Admin\AppData\Local\Temp\d4f43c5616ce0695d303103e4e9e446a6a756b4f1b8c569aa2e20da2a47ab7b6.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a344E.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3252
            • C:\Users\Admin\AppData\Local\Temp\d4f43c5616ce0695d303103e4e9e446a6a756b4f1b8c569aa2e20da2a47ab7b6.exe
              "C:\Users\Admin\AppData\Local\Temp\d4f43c5616ce0695d303103e4e9e446a6a756b4f1b8c569aa2e20da2a47ab7b6.exe"
              4⤵
              • Executes dropped EXE
              PID:2908
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4548
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1608
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3864
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2720
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2192

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            81a0e302bbfd88e0fa1e7a21dec03386

            SHA1

            423f9191a497994c2fb959806c9ad0ef5b678d0c

            SHA256

            8f8b833c8ee99eb2bdcf44ae370ed5505681331b52adc56815d96a263e60cbe7

            SHA512

            b4b05481f1026a2aff43ae42416c943902f87ddab8941fab5c8f4875956fcc67e8ce66acb4a7e98d705769b75c01beb0a9be279b29c8a2e9dfe5ae96bb742d00

            Download Submit

          • C:\Program Files\RedoOptimize.exe
            Filesize

            722KB

            MD5

            d13e9bfdbeacbe884319665e6f7d332d

            SHA1

            9e4b2f584cf59513bde4862ae07af7930a7f62e7

            SHA256

            8d66cb1e11b426f8a090980536a7ef0191f408d559bf93317c8a2169264c6a97

            SHA512

            b777acd0b5474cf2a638875bfaa8678456a4895c52fec914596251dda70e5a9f5dd71a2ad00460b209583b4520fbcc6e2589e1b69b762513f1df59cbe6afef53

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            b803a7c50b8a187b840d1b2d69d632ab

            SHA1

            755c11cddfe99d5b6cc65b701e2c917486277817

            SHA256

            d1f3f23aee0dea0b5445a0df84709739774a3287390c393e209d1924c7b30879

            SHA512

            3ad5e91265c4114c650fe37a8cb6350cb472e8445f3274a5b3047b67d0d0a5a063e0c99f885c742cc2a1347b8f25694db03a596f350d5bdcf5a816520590a202

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a344E.bat
            Filesize

            722B

            MD5

            a17afc34a7da98e7992f2c49ebce90cd

            SHA1

            274194eacc45cd26e3dfbe4ef9051b123951f813

            SHA256

            d269aad876761a39b072cc6653e3532d9b53c1bd5e365c4ece025e605ce3f778

            SHA512

            a6d0c2af78bc184b92fe772bdbef03b7aebb4c5ac709058bebbdad092b342a16b516ae6b737885a9638f704e7cde804da01e74c4b17a64bcf07abc1768a9d39d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d4f43c5616ce0695d303103e4e9e446a6a756b4f1b8c569aa2e20da2a47ab7b6.exe.exe
            Filesize

            33KB

            MD5

            8d8e70465b638a0fbef479bb1f9a50be

            SHA1

            c39e2a1b7712f6edb3ab8da7add41102bbc2646a

            SHA256

            7152bd71bfdf164229ec3664980fd0f5389790fb2fb852c770ffa901a3087ff6

            SHA512

            11ad37a481f65d48e522d035ffa7cd0ac0a4c4258dff97de738ad4dccec025c4e408af9917f807313ee98169387661f0e0446df187180d36ea8cbfcd1f21ddac

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            420f125d677f0bf19d6130ea59dfb694

            SHA1

            c26ae0c439982374d7ed6db90761cdb1d4f2f617

            SHA256

            4784cbb5bf5947b0729e72958deb0c4f12222523aee7f3c19856e16f9e2068d2

            SHA512

            23cc499e39b347ecd15b6ba5eafd3455295bcf0508b14e65c24928cb9e6d90d5c324ae3687186b954d4549dccce2087f08fda10bbf1205b19df74ef6b1a773ee

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini
            Filesize

            8B

            MD5

            0282826728a8bfe9c3f290391e4f323c

            SHA1

            ab69946ecc2824015e04a669b8434e8eb2a658aa

            SHA256

            0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

            SHA512

            fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

            Download Submit

          • memory/4088-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4088-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4548-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4548-5221-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4548-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4548-8703-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download