Overview

overview

7

Static

static

3

9bc370a0d7...77.exe

windows7-x64

7

9bc370a0d7...77.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bc370a0d75b03abe343f84c01dd59afc3b5e6f1f3a4233a048da80bd8c93377.exe

  • Size

    66KB

  • MD5

    9cb49d606f65613b8b10490ca2a7eb18

  • SHA1

    c9ebd2a36356363334cb04ac8d7ba26e6a67707e

  • SHA256

    9bc370a0d75b03abe343f84c01dd59afc3b5e6f1f3a4233a048da80bd8c93377

  • SHA512

    d78f09fcb409b65f1536ff8f9d0d004bd94dcf8234778fdfef01cb459d1b6cb1278ff7da81a8b52089993cbab4ec60763b8497e271f9dad0b4e9e50f4dff7ad7

  • SSDEEP

    768:/WPcTO5RroZJ76739sBWsNscWlM3dN9N3ZjfPPNDp+Ozli4BaXP0dByt6O/AkHfB:/iSe+Zk78NR3dN5nPNDfzHa/iSfRmq

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\9bc370a0d75b03abe343f84c01dd59afc3b5e6f1f3a4233a048da80bd8c93377.exe
        "C:\Users\Admin\AppData\Local\Temp\9bc370a0d75b03abe343f84c01dd59afc3b5e6f1f3a4233a048da80bd8c93377.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1860
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2020
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2AE7.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Users\Admin\AppData\Local\Temp\9bc370a0d75b03abe343f84c01dd59afc3b5e6f1f3a4233a048da80bd8c93377.exe
              "C:\Users\Admin\AppData\Local\Temp\9bc370a0d75b03abe343f84c01dd59afc3b5e6f1f3a4233a048da80bd8c93377.exe"
              4⤵
              • Executes dropped EXE
              PID:2648
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2840
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2852
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2656
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2588
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2688

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            3e2d3392a9d3ae3ed27661f81e853478

            SHA1

            fa8c023a3bff75e89ed39f5d4bfb5693d818ca8b

            SHA256

            09da8a31b7f420b9e4ed6d02e698bcc12a4f3efa46a53d1492a241a5784d44a8

            SHA512

            27652a29d728b92995b8ce46b150cd14baf5b65789591085ef3fa959dbc99efaa071b7a014ccaabeb6e84cdea642769dc98a7a1684afcda9be82dbb0b8d3fa17

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a2AE7.bat
            Filesize

            722B

            MD5

            69937fc0848e757643ee67216995e483

            SHA1

            0944bfc3d40ebc9a3069f58a8b925903a9979960

            SHA256

            0293053c8337323540c64b0dcf8ae2d329e9d847dffdd9d4a4ee8426c0ad1baf

            SHA512

            170b9d801dfe9d71e3b1e14cffc848cac11de36b0f2b64e7ca34008f5afe46d8d1463ab596e08adb7fe26c36d0990570ef9b16df230392f06f94c097ad34b86a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9bc370a0d75b03abe343f84c01dd59afc3b5e6f1f3a4233a048da80bd8c93377.exe.exe
            Filesize

            33KB

            MD5

            aa8eced8b0c3b3722e8958b79a4c6296

            SHA1

            4ff7ef88e26a40675f194b7f07e1bf8f3350ba07

            SHA256

            91e0b1b49ace92844e5a9afffcf2fb584cfec9f548e58ef57e3dd37dfd19f638

            SHA512

            6f2f104befbeefa821b86d47ec256f7b13ae8f00a7cbd5d724a7bdfd20c94c5cb53c654b5637b3c7ae4fc3cd2f10d6332bf08d85af718201068a985214322698

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            f45e6c5efcb60796280b160b181a07dc

            SHA1

            8d175dae2c97edaedeb1693ab2f1b4a9b9d981d4

            SHA256

            7447829ed8519dd4ee03c37defff6d9c5f2bf06e2ae605da9efece0c495f5844

            SHA512

            1165d2d74f5a0dddd6d99f320c4563a1625da3b8125243baee289ce747c1665766e8dcdd6ae259e11efff5b27e572a8f432c3a85260d677874c7e1dbbcf5d088

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
            Filesize

            9B

            MD5

            392ab9dcf5a9daf53626ea1f2e61d0b9

            SHA1

            0a2cdc7f8f9edf33f9fde3f8b90e0020190c8fb7

            SHA256

            9bbc94aad502d7d7a7f502ddb9cbd93b1c89eff13e445971c94ac09215ada67d

            SHA512

            5d1fea63a7793a65dc63c32cfe3ab2e1af941ded8e760f08fbe991e5b30433f86f920d717235a635020740c8f6f7996b4b8e8147e331b29141fcbb7bdc68144d

            Download Submit

          • memory/1180-29-0x00000000024D0000-0x00000000024D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2072-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2072-17-0x00000000002E0000-0x000000000031F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2072-15-0x00000000002E0000-0x000000000031F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2072-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2840-21-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2840-33-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2840-3348-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2840-4173-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download