Overview

overview

7

Static

static

3

42e5611424...4a.exe

windows7-x64

7

42e5611424...4a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42e56114246085fbc6939b370d91cddd0028f36597d262fe6f8a612c2f87214a.exe

  • Size

    666KB

  • MD5

    f3cf1512b1b57c1f6fcda42c95c861e2

  • SHA1

    9b5f982e8462ec971538916de71df4d72847228e

  • SHA256

    42e56114246085fbc6939b370d91cddd0028f36597d262fe6f8a612c2f87214a

  • SHA512

    d144a0d3fa8d84db35540837531ac1878ee197f928c0e3fc749d73fb004f8ea70a81bd5304e84ad03e7afe534b118c7180b1d867ed64c620bfec6203e27aeb6a

  • SSDEEP

    6144:mZi13PC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVAh:mZi13KPFlTz

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Users\Admin\AppData\Local\Temp\42e56114246085fbc6939b370d91cddd0028f36597d262fe6f8a612c2f87214a.exe
        "C:\Users\Admin\AppData\Local\Temp\42e56114246085fbc6939b370d91cddd0028f36597d262fe6f8a612c2f87214a.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4000
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a48E0.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3696
            • C:\Users\Admin\AppData\Local\Temp\42e56114246085fbc6939b370d91cddd0028f36597d262fe6f8a612c2f87214a.exe
              "C:\Users\Admin\AppData\Local\Temp\42e56114246085fbc6939b370d91cddd0028f36597d262fe6f8a612c2f87214a.exe"
              4⤵
              • Executes dropped EXE
              PID:3956
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3152
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:400
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3140
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3368
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1476

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            251KB

            MD5

            bd2a4c39fa5c5e2237a6b6936789e171

            SHA1

            437559ce78a3af99d6f8c60dbc53cccdf66c5522

            SHA256

            485bec765fffd6e97d73cde89caaf7bbd4a15fa3618e2bc3a4adb719e64934bd

            SHA512

            c3a0c07182786a9e0f259b814b50fe0bb9b7c911c67b62d5bcebf0e484fc80bd0d0411b598feb9fb25361475afb2105e014e0c698076e83252173ef2bb97c3f9

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            10e9f57f09a007793c925746f2e24314

            SHA1

            ecb60857dfaa5c231d7d47e3469129514565000e

            SHA256

            8ba9707be76f15c2ec50199e7f2eba0c060e84be29222e589f38ae831c490557

            SHA512

            17e2f85a315195b6e8879b140f277a4709642d64a6544c0193d2e16eeba0b7525702cdf80fb1945fa16c142e4c9984c0701221a04da3a3ca6dbd73cc49ccf4ed

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            150dead970fbd252be923400f8d8dead

            SHA1

            40dfe9336f9fe6f547c4af09cf3dd0d7839f8ca1

            SHA256

            5487cec24be87e31c77539284b00e1b1aae5744f5006259128e5fccf5f10cb8d

            SHA512

            196b3a9a430d95544e29de8a9f28078c1d9fca6f8c9cb13696b457ffdafe138d00e6c8a463d6d1befc67435e61769cec03a7dd05349a187e26de58c25d88961a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a48E0.bat
            Filesize

            722B

            MD5

            82697641379d5b3fa6b9c02be499976a

            SHA1

            87f5d017ccf3f27bda109344eb3690e8667748e9

            SHA256

            8d36ce981ae68bf335004d1564588b1662d361e5d3efbc695cded440f2e0db50

            SHA512

            05bbce0b6ae6b66d2192d442be88e700888f11e5323a0871df6c0f5eb48fc73f0a2dcaaf38151c25af911ac1f2129e5116df3f0f1bdb3a6a25f6566feda5f714

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\42e56114246085fbc6939b370d91cddd0028f36597d262fe6f8a612c2f87214a.exe.exe
            Filesize

            633KB

            MD5

            2e0d056ad62b6ef87a091003714fd512

            SHA1

            73150bddb5671c36413d9fbc94a668f132a2edc5

            SHA256

            cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

            SHA512

            b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            fc56ad3b53a32cf843dbe53ee8abf66e

            SHA1

            35768d13cb7caa162ed3033395f9319810f04474

            SHA256

            e95fdbc4d7a6621fd95e73e112742f39e5ea40417d3e68796dc81b7ea20f1b7b

            SHA512

            91afc304d10dd9d8a81258d2ea4a9991e74f9cd1b890274f7a8b750f9c15970a5902f2ec8bb09dd9ed63760007e0a0816bcf6e7d1a1dc216c7e8fc9415ee2175

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\_desktop.ini
            Filesize

            8B

            MD5

            4e8103aaf92b5d6abdcdd5fcfdd0ee98

            SHA1

            5e112ca3ca7335ca96c8635a5edc1e488dc0334e

            SHA256

            c22c9cdc7022f1a37fa581dd2f270bfdef9c020ecb64ab36f9f82edabee9e5be

            SHA512

            61099b199e29064b5aad505311746081b9b5ee5b76487ddff1eaf9dfbddb8461677dca70dc04cfc8beadfbafc8a7af4d06d905d0fceb0d8793ace0358d226aea

            Download Submit

          • memory/3112-9-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3112-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3152-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3152-5180-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3152-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3152-8730-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download