Overview

overview

8

Static

static

3

25ba409f54...45.exe

windows7-x64

8

25ba409f54...45.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25ba409f54719204b0cc95c4f522e39892c2cf19acb35df862bf9c47556c1c45.exe

  • Size

    33KB

  • MD5

    54bf44306953a5b6f406e5540e60c7b4

  • SHA1

    5252474cc785229e8b958668a72650a1d5777a4d

  • SHA256

    25ba409f54719204b0cc95c4f522e39892c2cf19acb35df862bf9c47556c1c45

  • SHA512

    17e48d33e3012ae8790af9677434dbbad419c6876388c4b4c9e7178d582e7967b63b5107a85e5a4062656241006c1d6d8d5183f0e20b1a3aa2cb6eff5abf176f

  • SSDEEP

    768:JIm84UElOIEvzMXqtwp/lDTJg/MFksCRsd2u9C9MFWoVaZel:JZ84UaYzMXqtGN/CstC9qVF

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\25ba409f54719204b0cc95c4f522e39892c2cf19acb35df862bf9c47556c1c45.exe
        "C:\Users\Admin\AppData\Local\Temp\25ba409f54719204b0cc95c4f522e39892c2cf19acb35df862bf9c47556c1c45.exe"
        2⤵
        • Drops file in Drivers directory
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2460
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2956
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2628

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          717KB

          MD5

          18a06ed778227002721e5aab99f6d815

          SHA1

          f4b40dab1e43c5040e5e7e470f5c5f137f33d553

          SHA256

          7b9c638f8cc97eca9a750fe32211de5cc5366b1e319dd3ffbbd7a0a038b3209b

          SHA512

          e2c1c8a31396f3ccd1b4e0d34e04d11703b1c72452cbaf5bde32536d0e34ff338d4740c33c68c5c6020d21dd172b3619e6716bb470f19447de78aa5e09cff752

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          e3ed025983edd3f0811b528d691f5aad

          SHA1

          d4dba9af05f4499e9b7b9152b4b79fdc392fea0e

          SHA256

          baabdc56c507e1820de6caf9cfd27eb3298c955fe5725460cfb9b2e833546005

          SHA512

          f0c40858619b35c307a55ecb3647645717a05fc229dcf3af6562720305a38b4ed2e7f4000a50ba44d2644173a1c99c8781859236f497c4d79437d19043914567

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
          Filesize

          9B

          MD5

          ef2876ec14bdb3dc085fc3af9311b015

          SHA1

          68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

          SHA256

          ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

          SHA512

          c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

          Download Submit

        • memory/1192-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2452-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2452-9-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2452-3256-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2452-4078-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download