Overview

overview

7

Static

static

3

548573315a...94.exe

windows7-x64

7

548573315a...94.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 06:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe

  • Size

    375KB

  • MD5

    8a53e55f848e6ceb13afddbcbb9b39f8

  • SHA1

    d50aa4841036b1aa887f1d90169d57e7d1c6dc11

  • SHA256

    548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194

  • SHA512

    c21fc22494e883caea6b9f1608514c3805dd08ae0cb37734af0e639bc74b4017149e574ad32bdda43cce6d0e5b3c71381349015d47f95c85b4a7f69a06838d5b

  • SSDEEP

    6144:3+azbRZvUzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:3+azbv8U66b5zhVymA/XSRh

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe
        "C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1212
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5554.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4588
            • C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe
              "C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe"
              4⤵
              • Executes dropped EXE
              PID:1720
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:556
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4088
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3580
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3096
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3284

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  264KB

                  MD5

                  7e8d260b6f6d3e2ed90a45ad6e671cfd

                  SHA1

                  2f02e8344b8d67c341718f8a7cc1a6d823292f65

                  SHA256

                  7d6114b9b8de59192679b62096eff3ba7d218f77b481c0e48f04571da1836ae9

                  SHA512

                  2cf1c2894b0f6dd5c6d16af22ef36bd09cf357aba32150394cac1c40e19e31f8408e31fa5525561cbcf93eae996b2ca4778c95ff6439303981df3be212a7878e

                  Download Submit

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  583KB

                  MD5

                  01ddab071487b398009e520d9e6a57ed

                  SHA1

                  a08bc91d1e7593fa054a51615ba178138db746c8

                  SHA256

                  2586cad9de88fa627bd7bcc4b952c9f5757aa0c42888e71ed56eef238c161b8d

                  SHA512

                  933cc70dfb8596d98829c61de84e8b1b80ab463522cd64881357bee335cea7c7e8e516df46f5c48569ec21c6a8111057bf2ce9bc411636b9e4f831193f87a73a

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  649KB

                  MD5

                  e4b4c486987a76abb8a18c33b36514b5

                  SHA1

                  1c83216295cfc852c1a35198e31d8d385efd373a

                  SHA256

                  30f0474b455caa56bfb989bfcc04bb4db00f81857c28657f3fecf1dbcc6eb5dc

                  SHA512

                  f8532180a32b17153626d9879a93159132b2e10708e81aec83c995a8e9b642d5b6ccdd1db676c92302bdd5bb97726e670876490e97d65b27865ea7e72c8c4515

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a5554.bat
                  Filesize

                  722B

                  MD5

                  dc1066e2d77067d94707bb2f86c23fcc

                  SHA1

                  f89b43ca9b1d9c98917224b397bab9ac87da59b3

                  SHA256

                  88736d543fd59eec035bbbef34085fd97c5b275dd32e7e089ee4002a3e5dcc2b

                  SHA512

                  b2245397a6a87ce218f74c0e7038feb108f08ee5f379be91f345e265989004f24c4c11ee24419ec207fdf28beb5a59f9989f7ad5f3a7dbf700bf1ff678b12eff

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\548573315a92fb81472044a8a3befd16db41b74e1380c4854e1f80eb4af47194.exe.exe
                  Filesize

                  335KB

                  MD5

                  40ac62c087648ccc2c58dae066d34c98

                  SHA1

                  0e87efb6ddfe59e534ea9e829cad35be8563e5f7

                  SHA256

                  482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

                  SHA512

                  0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  39KB

                  MD5

                  47ec98bc87cb912543336ed8e6046f36

                  SHA1

                  72ef5db4c258a4b74bfa2049178a007f4eed7731

                  SHA256

                  57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4

                  SHA512

                  e5f03aa980594cbca251eb2723514096ee8cc9b65327d37df3794cb6768666ca848a32d47d8992647cace51ba1f96fa38f9329da346148092230af3fe3f7b8e5

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  ec89b9cba2f5e7b9394fdd901d6c3977

                  SHA1

                  63b0db3abcd08b863a9a3944799b41efa264db40

                  SHA256

                  2b4efa4e113d3044c8e47f59a7b75225cc7736c2fa28f9e52949b9441f3d77ca

                  SHA512

                  901f7d44754e59fba0b1b90341927744f670463f4d18e2694617f74fe4e3f456e9088530bccc16e758fc67a23f91380a3655121ba911e8ff5173f3ac4cb0f1d2

                  Download Submit

                • memory/556-18-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/556-4850-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/556-9-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/556-8709-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/4440-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/4440-11-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download