Overview

overview

7

Static

static

3

548573315a...94.exe

windows7-x64

7

548573315a...94.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 06:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe

  • Size

    375KB

  • MD5

    8a53e55f848e6ceb13afddbcbb9b39f8

  • SHA1

    d50aa4841036b1aa887f1d90169d57e7d1c6dc11

  • SHA256

    548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194

  • SHA512

    c21fc22494e883caea6b9f1608514c3805dd08ae0cb37734af0e639bc74b4017149e574ad32bdda43cce6d0e5b3c71381349015d47f95c85b4a7f69a06838d5b

  • SSDEEP

    6144:3+azbRZvUzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:3+azbv8U66b5zhVymA/XSRh

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe
        "C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2160
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a21B4.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe
              "C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe"
              4⤵
              • Executes dropped EXE
              PID:2744
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2532
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2436
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2296
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2452

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  264KB

                  MD5

                  7e8d260b6f6d3e2ed90a45ad6e671cfd

                  SHA1

                  2f02e8344b8d67c341718f8a7cc1a6d823292f65

                  SHA256

                  7d6114b9b8de59192679b62096eff3ba7d218f77b481c0e48f04571da1836ae9

                  SHA512

                  2cf1c2894b0f6dd5c6d16af22ef36bd09cf357aba32150394cac1c40e19e31f8408e31fa5525561cbcf93eae996b2ca4778c95ff6439303981df3be212a7878e

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  484KB

                  MD5

                  79d4fd1cb70f3844796aa1ea18a238e2

                  SHA1

                  78d207a7de2aeb85eefc185d894b0b7626e1e1f3

                  SHA256

                  ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b

                  SHA512

                  7a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a21B4.bat
                  Filesize

                  722B

                  MD5

                  54abfa14e491b218c6ded47782baca33

                  SHA1

                  60a162f5fcdf041864e50b3e0c17f06451f53394

                  SHA256

                  5798fa0db30904ffb8ca12e57a5b145f16da4eec674a0b2a0fa47eb27eacf13e

                  SHA512

                  c6e12066c1eabe502131376602d06266a97241b8719b086ad0c85968938baab65edc19856a2bc52b9bbdaf552dd07d7b109cccddf3f126b08091ed4617917d92

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe.exe
                  Filesize

                  335KB

                  MD5

                  40ac62c087648ccc2c58dae066d34c98

                  SHA1

                  0e87efb6ddfe59e534ea9e829cad35be8563e5f7

                  SHA256

                  482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

                  SHA512

                  0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  39KB

                  MD5

                  47ec98bc87cb912543336ed8e6046f36

                  SHA1

                  72ef5db4c258a4b74bfa2049178a007f4eed7731

                  SHA256

                  57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4

                  SHA512

                  e5f03aa980594cbca251eb2723514096ee8cc9b65327d37df3794cb6768666ca848a32d47d8992647cace51ba1f96fa38f9329da346148092230af3fe3f7b8e5

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  ec89b9cba2f5e7b9394fdd901d6c3977

                  SHA1

                  63b0db3abcd08b863a9a3944799b41efa264db40

                  SHA256

                  2b4efa4e113d3044c8e47f59a7b75225cc7736c2fa28f9e52949b9441f3d77ca

                  SHA512

                  901f7d44754e59fba0b1b90341927744f670463f4d18e2694617f74fe4e3f456e9088530bccc16e758fc67a23f91380a3655121ba911e8ff5173f3ac4cb0f1d2

                  Download Submit

                • memory/1204-28-0x0000000002E30000-0x0000000002E31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2536-20-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2536-32-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2536-3319-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2536-4144-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2856-17-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2856-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2856-15-0x0000000001C80000-0x0000000001CBD000-memory.dmp

                  Filesize

                  244KB

                  Download