Overview

overview

7

Static

static

3

323ddab5b4...c1.exe

windows7-x64

7

323ddab5b4...c1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 14:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe

  • Size

    491KB

  • MD5

    90e617b3cb538bdbebb67d1acb928fd2

  • SHA1

    1d21aa75aef945020c81a487e85f11b42a5780e1

  • SHA256

    323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1

  • SHA512

    b5c2b80566046eabfee7e64f4773db78674a3abae013ecbfaff9ccbeb418a4f65e06553cd541ce6585cdc5ee956f41775d171161c5a9a0833f7d3d486bfa32bd

  • SSDEEP

    12288:IKI1quIf1gL5pRTcAkS/3hzN8qE43fm78V:DI1q45jcAkSYqyE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
        "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:296
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a23E5.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
              "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
              4⤵
              • Executes dropped EXE
              PID:2872
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2592
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2748
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2608
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2172

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  22f843576d7f955e6adfc871b32f1c4e

                  SHA1

                  0f619c169809e25776e5662048ef43b75105c749

                  SHA256

                  4743495c4403ccae771b3e2b4f9bca13336c3df8a7adda3b912f06b5e509f88a

                  SHA512

                  dc3f8688869ab9f35ad02f8b7c217fa93fc6dbe00a13a4a81e7b725b6dcaa8080c4731ffb165f070889f08b43e0a365e58955682c46623b85a0b4aca644b9fbf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a23E5.bat
                  Filesize

                  722B

                  MD5

                  8a837b19547ab7b009015713bacf0b90

                  SHA1

                  34931f938851bf54fe98cc02342001e8f1f801cf

                  SHA256

                  54d01304e70c29d55c818708ba51e67de687b25d6ce100682aaf515e3224b924

                  SHA512

                  0bd5e3c2f9c68d7d0894a39b443229f7b6e7dba93b357a2d8fcd83e50ccf4e9d90354fd588b3ac0735a31e8c1020c4203ed6aef806a276a29108b6ebd3b4adb2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe.exe
                  Filesize

                  458KB

                  MD5

                  619f7135621b50fd1900ff24aade1524

                  SHA1

                  6c7ea8bbd435163ae3945cbef30ef6b9872a4591

                  SHA256

                  344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

                  SHA512

                  2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  dbaeead00c5f2c719ea726ce5d681465

                  SHA1

                  d9bb3c9a2747bb4625f265d46f48722ef88271c7

                  SHA256

                  ccb9ee55ad02f5fda55d5b0e8c06e4071fe895b47d622ebc24a79d7c87d3e1a8

                  SHA512

                  1526d4e26278f1225a07fdf935de1d7364638af5b77473d2ec97316edf53cc89c4482c496d4b9c7009ee9d969429e9251057a1664ceb0ebda1aef16c703ffa95

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  1b16d2dbd4281ce4e4e5729c608dcb0b

                  SHA1

                  851e624080ba5598edb808d4b30fe2d74999ce18

                  SHA256

                  c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

                  SHA512

                  cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

                  Download Submit

                • memory/1196-27-0x0000000002E10000-0x0000000002E11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1628-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/1628-17-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2632-18-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2632-31-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2632-3068-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2632-4101-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download