Overview

overview

8

Static

static

3

dc2b6cab03...aa.exe

windows7-x64

8

dc2b6cab03...aa.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 02:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa.exe

  • Size

    577KB

  • MD5

    68a6a34f59ff749de9e4aca05bbc1fa0

  • SHA1

    0228c376a2934591a6e9487ba20f9a2c67190c90

  • SHA256

    dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa

  • SHA512

    556c5570fd43d0a1d9eb289fc095c6dbcbbc30ae29a4ae959fc1aef583ab375fff9b043de7477940d44aeb4672e64fa9eee416b0e0e21eb73fd68489d61b5ae7

  • SSDEEP

    6144:Ff46tGdye419E7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQC:x3NbI7a3iwbihym2g7XO3LWUQfh4Co

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa.exe
        "C:\Users\Admin\AppData\Local\Temp\dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4272
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1896
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a48F0.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4864
            • C:\Users\Admin\AppData\Local\Temp\dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa.exe
              "C:\Users\Admin\AppData\Local\Temp\dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa.exe"
              4⤵
              • Executes dropped EXE
              PID:740
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4180
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:5032
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:772
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3256
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3168

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  68a6a34f59ff749de9e4aca05bbc1fa0

                  SHA1

                  0228c376a2934591a6e9487ba20f9a2c67190c90

                  SHA256

                  dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa

                  SHA512

                  556c5570fd43d0a1d9eb289fc095c6dbcbbc30ae29a4ae959fc1aef583ab375fff9b043de7477940d44aeb4672e64fa9eee416b0e0e21eb73fd68489d61b5ae7

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  644KB

                  MD5

                  51c1eb02821359551eae62ff451ccbb4

                  SHA1

                  917e11eb8a26a033a330a9cee5c5207d0da1109a

                  SHA256

                  9afbb3fd781ea931d8bc856c768fe7af7e440e9f7a29950b5dca44593f0ef04f

                  SHA512

                  062f0c32d3d9b46fc670512a818c88919bcc90a2f7f5bd4910f917a96c42527fd6c28117c366cb66cd6bfa3ec64f5a43aadcaa4bdad01c8d45eb2bfe2c85f5ee

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a48F0.bat
                  Filesize

                  722B

                  MD5

                  9bb053dbf43c5484fe8d30b977d5ac10

                  SHA1

                  743a04106ee2e20ba09300c3f10e7774902393f6

                  SHA256

                  66d627bc8ed9e2cdc6e8e9928b3662fce78b6a746bc7e64b3d386ed17b03bae2

                  SHA512

                  813f114742d8755c08d20bc746ba0cda7185748cceebf3ca0d7955a86730cc07f07224dfe70b3394950359efbc393b192fa3c258847689c18ebc83b5ad1fa0f6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\dc2b6cab038a5ee8c47b6f877b4704da0786a4bcb1497a43844adadd17bb44aa.exe.exe
                  Filesize

                  544KB

                  MD5

                  9a1dd1d96481d61934dcc2d568971d06

                  SHA1

                  f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

                  SHA256

                  8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

                  SHA512

                  7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  4ae178187c14818b14f422c6c887fc5d

                  SHA1

                  1a66d36dc661f5bcc86f995d352f0d094c3c3cb1

                  SHA256

                  f38854d1e223621da707383885c1f2eb5d422c4d8b35a2254cc4df9fdf998799

                  SHA512

                  c810c8f9d1c30837e75c81e5ff3276cfa5beb26f40042eda4a66d8b626e0dd648181a29dcef6aea59456fbea7000870825d8cfd8ac9749429b96781657768868

                  Download Submit

                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  842B

                  MD5

                  6f4adf207ef402d9ef40c6aa52ffd245

                  SHA1

                  4b05b495619c643f02e278dede8f5b1392555a57

                  SHA256

                  d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

                  SHA512

                  a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  4d28283e4d415600ffc2f8fda6d8c91e

                  SHA1

                  053dcb8d5d84b75459bc82d8740ee4684d680016

                  SHA256

                  b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

                  SHA512

                  73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

                  Download Submit

                • memory/1900-0-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1900-12-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4180-10-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4180-20-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4180-5168-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4180-8630-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download