Overview

overview

7

Static

static

3

c962efa54c...a9.exe

windows7-x64

7

c962efa54c...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2024, 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c962efa54c0a44e840558abbcd17b7e315bcda5e3205ff37453d3d17fb4625a9.exe

  • Size

    66KB

  • MD5

    db0f77c0232e7044875e3cec8faa5eef

  • SHA1

    9a6c7bb0d83e140e5c1064ddddbe9b1ea7165ad4

  • SHA256

    c962efa54c0a44e840558abbcd17b7e315bcda5e3205ff37453d3d17fb4625a9

  • SHA512

    03d1a41006c9c35ad0a6bedc6fa7b77ed891ff7367c2ae2d65ad2887a8d46f300d3c7a72edfd3c5f5b1e45b9becf72a82d680a24b646b5d48fae1d64a2f5aa44

  • SSDEEP

    1536:Ig8Ze+Zk77RNzLiTOMZoEV0JuRUFyMOaHQ1l:Igae+aX3zvhk0JXXOeQ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\c962efa54c0a44e840558abbcd17b7e315bcda5e3205ff37453d3d17fb4625a9.exe
        "C:\Users\Admin\AppData\Local\Temp\c962efa54c0a44e840558abbcd17b7e315bcda5e3205ff37453d3d17fb4625a9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3776
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D38.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2956
            • C:\Users\Admin\AppData\Local\Temp\c962efa54c0a44e840558abbcd17b7e315bcda5e3205ff37453d3d17fb4625a9.exe
              "C:\Users\Admin\AppData\Local\Temp\c962efa54c0a44e840558abbcd17b7e315bcda5e3205ff37453d3d17fb4625a9.exe"
              4⤵
              • Executes dropped EXE
              PID:2896
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3588
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2380
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4444
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4332

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            250KB

            MD5

            f257bf4afa1a11fef9b1def04697d723

            SHA1

            1e05eece0f531686807ea967ac57f61a01eeb141

            SHA256

            09d80cb7c8099f0206bde94dd54fb29da90dcbcc8a74e137469a05d02b6eda53

            SHA512

            c26c937f4f78cadab4635a8484db797b604b93763e482094fd79be27aff9066aca997e718714572d34ab7bb6579304674194ca658f91962c189cd330673b0c9a

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            8e83ba7d521a51260a28dace8f7655c7

            SHA1

            d11ba5d21e963c79f2ec415eb91533e077281599

            SHA256

            8543b3768c65dc5bb153bf0f842d300bf3578fba696835b098ba61bd3825421e

            SHA512

            83174d058226db8a531bc96c7df75c6bccac4b22686131e1007d39d3ea4415d0d79c8190e8df1393a6fd02fa0e171a4324ad46f1045d9f3caaf3a80820066a1b

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            b803a7c50b8a187b840d1b2d69d632ab

            SHA1

            755c11cddfe99d5b6cc65b701e2c917486277817

            SHA256

            d1f3f23aee0dea0b5445a0df84709739774a3287390c393e209d1924c7b30879

            SHA512

            3ad5e91265c4114c650fe37a8cb6350cb472e8445f3274a5b3047b67d0d0a5a063e0c99f885c742cc2a1347b8f25694db03a596f350d5bdcf5a816520590a202

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3D38.bat
            Filesize

            722B

            MD5

            9693210629d3bfa900b0a18321cbcf82

            SHA1

            85a855d0baaa195a6cd774507cf6fad0c7adeba8

            SHA256

            7e87b2c963c3628c83c76b01ff4c1dd108972cd58f3d49e3eca9b41257f2e675

            SHA512

            e6ba64574bfbcbe5e759bff97c2f7f266d0403a145df79f64e547eaba9ee697d16ed144dc67eb1dc812edf4137b9af4f090f01cc136a50473bd0219f67786519

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c962efa54c0a44e840558abbcd17b7e315bcda5e3205ff37453d3d17fb4625a9.exe.exe
            Filesize

            33KB

            MD5

            69b16c7b7746ba5c642fc05b3561fc73

            SHA1

            83d80d668dca76b899e1bf662ddee0e0c18ac791

            SHA256

            0deceb6b1b7a2dd1f13133ac7328ff420dad4610cee1fa7466e8e0f6baa39116

            SHA512

            6b8eebcfe5b04141640047fe468371ad02bb115ee9ef00260c0b33cfd56b142c2e01b3b1c6f07281aa57b1f3b9fdb1f1082fe5620f88a57b92d8f547267ef154

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            420f125d677f0bf19d6130ea59dfb694

            SHA1

            c26ae0c439982374d7ed6db90761cdb1d4f2f617

            SHA256

            4784cbb5bf5947b0729e72958deb0c4f12222523aee7f3c19856e16f9e2068d2

            SHA512

            23cc499e39b347ecd15b6ba5eafd3455295bcf0508b14e65c24928cb9e6d90d5c324ae3687186b954d4549dccce2087f08fda10bbf1205b19df74ef6b1a773ee

            Download Submit

          • F:\$RECYCLE.BIN\_desktop.ini
            Filesize

            8B

            MD5

            0282826728a8bfe9c3f290391e4f323c

            SHA1

            ab69946ecc2824015e04a669b8434e8eb2a658aa

            SHA256

            0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

            SHA512

            fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

            Download Submit

          • memory/1456-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1456-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1732-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1732-5224-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1732-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1732-8776-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download