Overview

overview

7

Static

static

3

c720359aeb...5b.exe

windows7-x64

7

c720359aeb...5b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c720359aeb64cad64544b51dc032579ba42c1ce337ebc58bacb0a8c61092ab5b.exe

  • Size

    577KB

  • MD5

    45f6db1ec72be2ae72124871996da724

  • SHA1

    859058aaee81af4e9b64f1e4308d6ec13e53e9d3

  • SHA256

    c720359aeb64cad64544b51dc032579ba42c1ce337ebc58bacb0a8c61092ab5b

  • SHA512

    c41395aa00a4e6d40708a7ace7f4f19c99b13c8f04e296cae41d24721388ec27e1f824e372700754ab7dbbe0d87001fb34c26e3b157e2e4b9e34cf4cc87d9619

  • SSDEEP

    6144:Q+aMKE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQG:Q+aMR7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\c720359aeb64cad64544b51dc032579ba42c1ce337ebc58bacb0a8c61092ab5b.exe
        "C:\Users\Admin\AppData\Local\Temp\c720359aeb64cad64544b51dc032579ba42c1ce337ebc58bacb0a8c61092ab5b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2184
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a257B.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1980
            • C:\Users\Admin\AppData\Local\Temp\c720359aeb64cad64544b51dc032579ba42c1ce337ebc58bacb0a8c61092ab5b.exe
              "C:\Users\Admin\AppData\Local\Temp\c720359aeb64cad64544b51dc032579ba42c1ce337ebc58bacb0a8c61092ab5b.exe"
              4⤵
              • Executes dropped EXE
              PID:3060
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1340
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2432
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2744
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2704

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            1cf9715a389ba4876cab7d395df4d645

            SHA1

            0a448c44716a1d819889dabbb4eb0300535a716f

            SHA256

            bac5d6a06de485f137512023b413935335ddb109b8c5ecc38972fcaa4a7de491

            SHA512

            c59f4a9f9a05c67c10a42ba3a33fa15106d844088ea38b598dfb6a75f2c031aaf6e0c63bc5c03fa5899da11872df2a04b8c8dc18073f101f49cc0fc3b82ac7be

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            3e2d3392a9d3ae3ed27661f81e853478

            SHA1

            fa8c023a3bff75e89ed39f5d4bfb5693d818ca8b

            SHA256

            09da8a31b7f420b9e4ed6d02e698bcc12a4f3efa46a53d1492a241a5784d44a8

            SHA512

            27652a29d728b92995b8ce46b150cd14baf5b65789591085ef3fa959dbc99efaa071b7a014ccaabeb6e84cdea642769dc98a7a1684afcda9be82dbb0b8d3fa17

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a257B.bat
            Filesize

            722B

            MD5

            62483dfb098774f686e2b9e9f63db27c

            SHA1

            da227945dc1dadd869da6b4af167b5b1886bb853

            SHA256

            1ca9e5ebc094c71552d2a549950af03d7ce9a9166b58faefc28ed371bd6ed085

            SHA512

            77542d07e503ef82be83e5bf7916e9558bb01d042a4bc2dd1dd40f6d372c324ecfe11a1fa546b423983b7aa32c8803ac63c677ce155b37d603cf1bcd247869c4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c720359aeb64cad64544b51dc032579ba42c1ce337ebc58bacb0a8c61092ab5b.exe.exe
            Filesize

            544KB

            MD5

            9a1dd1d96481d61934dcc2d568971d06

            SHA1

            f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

            SHA256

            8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

            SHA512

            7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            030c9aac5dcb76c5a06bf0ac2cdecfb0

            SHA1

            18f137b0ad656c47efffbc845449b5e80294bfd2

            SHA256

            815990d99ef2e24393dfdaac82ed03ab38096386d327ae3a8f670c63e02dbf79

            SHA512

            4db5e2a3c0e3d70003437fd15eebe90bb4574450b600bcac0fb52842c646fe5c098912ad479cf3ec4a490c985ba837e37ed5bdeec5db2ca57b16360290e0cce5

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
            Filesize

            8B

            MD5

            1b16d2dbd4281ce4e4e5729c608dcb0b

            SHA1

            851e624080ba5598edb808d4b30fe2d74999ce18

            SHA256

            c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

            SHA512

            cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

            Download Submit

          • memory/1196-27-0x00000000025C0000-0x00000000025C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1340-31-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1340-19-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1340-3318-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1340-4141-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3008-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3008-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download