Overview

overview

8

Static

static

3

f6d1f51d2c...14.exe

windows7-x64

8

f6d1f51d2c...14.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6d1f51d2c5bd7966b571f13975aed053309459a0a18ec84cf0f69d9bc95d314.exe

  • Size

    761KB

  • MD5

    28b1f09706148cf25502cc195ffdafab

  • SHA1

    84b6ca3618684816c57c6fc1c112229f7bfc4d7a

  • SHA256

    f6d1f51d2c5bd7966b571f13975aed053309459a0a18ec84cf0f69d9bc95d314

  • SHA512

    6f13249e8c7bf6ff1501403514789f8d6fccf814967148776f53cd26bdea891b892da059bce2c6904947dda457a1a83233c2c81b8c47e8226924b3c2a5baf2c9

  • SSDEEP

    12288:C83NfGboup+VHKBX3jbgS/Wg0MIn7ou8XBKsHKZycUQUfXJvA:C83Nf2kHKlzcS/0MInsu8uZycUfvA

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\f6d1f51d2c5bd7966b571f13975aed053309459a0a18ec84cf0f69d9bc95d314.exe
        "C:\Users\Admin\AppData\Local\Temp\f6d1f51d2c5bd7966b571f13975aed053309459a0a18ec84cf0f69d9bc95d314.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1856
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4323.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1192
            • C:\Users\Admin\AppData\Local\Temp\f6d1f51d2c5bd7966b571f13975aed053309459a0a18ec84cf0f69d9bc95d314.exe
              "C:\Users\Admin\AppData\Local\Temp\f6d1f51d2c5bd7966b571f13975aed053309459a0a18ec84cf0f69d9bc95d314.exe"
              4⤵
              • Executes dropped EXE
              PID:3148
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3536
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2080
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2228
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4208
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3196

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            251KB

            MD5

            27df0d40429e33df59e61fced7de1435

            SHA1

            e9b8fcd2042eda40526474ee7b207adf5bf903a8

            SHA256

            9e252c3d026541314681db1a8038865cda886902eb57a149b5613dc252ddcac7

            SHA512

            7965301ca8af9e640822a96c77c8a909c56119d319522e0a6cda00d7c4e6c5375b67fe6f6715924b998d74d080b6242343e43fb39642c1f285462a764312832d

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            458e6757b39072b70ca4f3b6908a3002

            SHA1

            1161df6f747a578654c9d04667561a59d64fdfaf

            SHA256

            d86fb9fe76c22133e2f323bce1810f55d545f30ebacdf692e7ce6c45a17bab44

            SHA512

            24e048cd183174d98b2358378669b9e5344c01f3f2991508bb1c8f56dddf0879fdd75e3bfbe5fd33c73d3ef9c20f9fa749b7df1c3a5558a61f7c455d20622daf

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            635e9422a0a86f5c7ac989802b0ac448

            SHA1

            3ea9cc1462b063639526a8d278b571f38b846d1d

            SHA256

            a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f

            SHA512

            857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a4323.bat
            Filesize

            722B

            MD5

            285eaf1c689bfaca138b2232b3ebc241

            SHA1

            8555b4eb425bf8b433464a7336bfc2f2a3b3efff

            SHA256

            4e1bbd72e71520f1da2023432aef30a96aa63a6e37c00d3cf50c152b52ffd76d

            SHA512

            79a777b14454f532ab48dd535af471e08106ce4f0a365d4395e653fff2dd0e473d06b7a9715af98c0a0595317046b592ec6ebe4323a40054a996035f78f269bc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f6d1f51d2c5bd7966b571f13975aed053309459a0a18ec84cf0f69d9bc95d314.exe.exe
            Filesize

            728KB

            MD5

            23e2fc0497edd8195bcae45a1389bf85

            SHA1

            28d2f99739a49cb707f9348cd3195e234c853b1e

            SHA256

            92d70a8fc07cee881009026759a8aaa5debfb64069038f610988719ed3630107

            SHA512

            5ae4c17363aa70cd17532fcf76bdff86d2634956f6e0483e88a14b22ce3e6dd01ad233943409302ab3a858d9d9eddb1a5d6d376f48908b64ed655554abfb2b4c

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            548b59c56dea702c153092f3c9befd52

            SHA1

            77d37ef5a746ee53d8b7c3ae82c4d2eca3e05d08

            SHA256

            e67be4ca1372399b73443f6f60c634806266796a0c84a22a55fa0080eca30b3f

            SHA512

            0ada1c693a1a40ff9d5407b633a4571268830bfd7edfa7bea370c96675a73269c4861c1c19a7ed478b42e95a91bceb386ce90bd7601cee4ca1076976d00e2e7c

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\_desktop.ini
            Filesize

            8B

            MD5

            1b16d2dbd4281ce4e4e5729c608dcb0b

            SHA1

            851e624080ba5598edb808d4b30fe2d74999ce18

            SHA256

            c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

            SHA512

            cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

            Download Submit

          • memory/1004-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1004-11-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3536-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3536-12-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3536-5182-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3536-8730-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download