Overview

overview

7

Static

static

3

2e77a08e98...b1.exe

windows7-x64

7

2e77a08e98...b1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 15:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2e77a08e9801594b1f91a8467a15f4e3078d4a9804e3a25567ac0f6a594f6eb1.exe

  • Size

    40KB

  • MD5

    ee15a6a567557bb41533caabe57892ef

  • SHA1

    9507149eb9a8a36be2fddca32ffc2ee56b1c0712

  • SHA256

    2e77a08e9801594b1f91a8467a15f4e3078d4a9804e3a25567ac0f6a594f6eb1

  • SHA512

    41c4fcfc250209b1bf9e3d4d99030ff558a46089083ef92b23f924e7c6de8d9a2dcc8013957183bf544bdff2fa3ddfd5198511c2f19989f2736bef73a8adc9e4

  • SSDEEP

    768:gPL2NETPfY+Vxr1x5cE9Fl5pz8hY16sFpmqraWrUE0PNNj56F3Bk7LpQL:gLPQsrz8haFpmqr76/Y3WLp

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1112
      • C:\Users\Admin\AppData\Local\Temp\2e77a08e9801594b1f91a8467a15f4e3078d4a9804e3a25567ac0f6a594f6eb1.exe
        "C:\Users\Admin\AppData\Local\Temp\2e77a08e9801594b1f91a8467a15f4e3078d4a9804e3a25567ac0f6a594f6eb1.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1032
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2540

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                Filesize

                265KB

                MD5

                144a07f0eb9ee08baff92603553bb51b

                SHA1

                0cf1b6d320f8f167584209cd250c1d2e8fb31aaf

                SHA256

                796386a95ca9b7bd73cdeeb4a5974272cb2aee380a9176213e7f90930ada8506

                SHA512

                712139a7c7ba2f695d3a96440ea855505ad7b80b05657e1c31f1254168de57a2d688f21333751fe9fa4f3a6d439a506214894358aa0578a807ade561fa5050ae

                Download Submit

              • C:\Program Files\7-Zip\7zG.exe
                Filesize

                724KB

                MD5

                91c048de8e92fe418a558a6716512b7a

                SHA1

                094e7697c10666e4c5f7047962d91bdbeb0435cd

                SHA256

                b7e78e71b30ae8416e0e20aa97910b2179ae9d9886dc121372129b808b49afbf

                SHA512

                1675fac2280ce8d53d1f340c3b2f2eab5c4ed948c8dd41d3824107fc6811fb7a3af165ea03615c958c2c6d17c9002c3bc1f736d134d233b82c96663032c658d9

                Download Submit

              • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                Filesize

                485KB

                MD5

                3ac7773258fe0684e8a28f3793a74ed3

                SHA1

                316fba91c21ea13e4576a5eeec832fd585c31ca0

                SHA256

                9f41dbbbdf4edcf63ba6262af0ae0d9a13874d0e008522af866f12f3e71b198f

                SHA512

                8d2647018107b940fe80b5ab979570b9f255764195976272b8c2ee8640b0e91493d5e7fa598b4ce29bda8f87cf495c6c71fd62734d51761b04bb5127eb5b2b4a

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
                Filesize

                8B

                MD5

                ec89b9cba2f5e7b9394fdd901d6c3977

                SHA1

                63b0db3abcd08b863a9a3944799b41efa264db40

                SHA256

                2b4efa4e113d3044c8e47f59a7b75225cc7736c2fa28f9e52949b9441f3d77ca

                SHA512

                901f7d44754e59fba0b1b90341927744f670463f4d18e2694617f74fe4e3f456e9088530bccc16e758fc67a23f91380a3655121ba911e8ff5173f3ac4cb0f1d2

                Download Submit

              • memory/1112-3-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2156-0-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/2156-7-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/2156-3294-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download

              • memory/2156-4116-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

                Download