Overview

overview

8

Static

static

3

afea313fd8...c6.exe

windows7-x64

8

afea313fd8...c6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afea313fd8adfe63248910d027d6a9a36c7f0adf9bba95c2ffabb9084990a4c6.exe

  • Size

    93KB

  • MD5

    c8b1afddcc9d1b91f85265978ce9f364

  • SHA1

    f04be173486ac4962e134e9fc474f093c636211b

  • SHA256

    afea313fd8adfe63248910d027d6a9a36c7f0adf9bba95c2ffabb9084990a4c6

  • SHA512

    b05f028b09526944735981684064387451f209655a744d3077e7dc8159ccb7396e8ae73f2b6457f675f796608650756dd2b70b93c25d0297a376a47606627ded

  • SSDEEP

    1536:Jj4UaYzMXqtGN/CstC9qVFeyapmebn4ddJZeY86iLflLJYEIs67rxo:JPaY46tGNFC0VFDLK4ddJMY86ipmns6S

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\afea313fd8adfe63248910d027d6a9a36c7f0adf9bba95c2ffabb9084990a4c6.exe
        "C:\Users\Admin\AppData\Local\Temp\afea313fd8adfe63248910d027d6a9a36c7f0adf9bba95c2ffabb9084990a4c6.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:32
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4132
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5EE9.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4512
            • C:\Users\Admin\AppData\Local\Temp\afea313fd8adfe63248910d027d6a9a36c7f0adf9bba95c2ffabb9084990a4c6.exe
              "C:\Users\Admin\AppData\Local\Temp\afea313fd8adfe63248910d027d6a9a36c7f0adf9bba95c2ffabb9084990a4c6.exe"
              4⤵
              • Executes dropped EXE
              PID:2972
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3736
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3968
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2020
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2608

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\ReadRemove.exe
            Filesize

            375KB

            MD5

            48572b2d0c2ecfb094e561a12ea4f701

            SHA1

            df2072cc57a533bb6764c155a193743d505d3878

            SHA256

            ad5be370b1d5b27e5062b757adc88bac81b32e1916c015327ca3904672260abf

            SHA512

            18fb9dd835dba80c40770c146c745088752b6ae33b598866c87ea83b2688381b95ed291fbf77f19b340e0ee39ae4c32017c11ac6ba633d52f016204f936555b7

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            3908c6f85096d094870328fabaebbe66

            SHA1

            9106bf68a43f77be7cb02afe73fe299b60961153

            SHA256

            864b33d1d5b355ef42f7911c58ec7b33a902815bfbd69d73e7f304ce49ae7ef7

            SHA512

            8ace41dd303c4a5a8caad76e99d3445f7a8e992bd0d74a5ab3e6afd5c5f2d2b52fbf8160d37dd412d9db4d8db018c62b0576975275dd0367dd19397c8b3463b1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a5EE9.bat
            Filesize

            722B

            MD5

            588a33e23b0982fe9545d9d2dbc69795

            SHA1

            9df258ef8c7dd3dd6e19f6ae593c853d82dfbe09

            SHA256

            2a7d5e171f720d993a9e2c631526327c6077cfd4edf2369a9f82418a04e2a59d

            SHA512

            cdc852c8212797572f798092887cde32f7544af4372ead188c3195d3d3b77f5ca080a22216e849fcae67da7fab95d3ef30cdfb35d2e48d51f51b30935b2fae0c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\afea313fd8adfe63248910d027d6a9a36c7f0adf9bba95c2ffabb9084990a4c6.exe.exe
            Filesize

            59KB

            MD5

            dfc18f7068913dde25742b856788d7ca

            SHA1

            cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

            SHA256

            ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

            SHA512

            d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            72524cf9b862c04eda809519e1ff803e

            SHA1

            31cb19b48f493554e3e8a6d8b8a41854698711e0

            SHA256

            f602e3036944a0423d2c1fd94dea02cbd48e5f64bb346deddb8d8585c0cd2f94

            SHA512

            66e3525b995b673f1b82d88679045379f18e16b10a53a00f4bef9175cb6980c4fce1eba62b92a9b6bb91752142572ee0f8ff3a1a317ddd7b7f7247e5d1059abb

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini
            Filesize

            9B

            MD5

            ef2876ec14bdb3dc085fc3af9311b015

            SHA1

            68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

            SHA256

            ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

            SHA512

            c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

            Download Submit

          • memory/2012-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2012-10-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3736-13-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3736-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3736-4831-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3736-8665-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download