Overview

overview

8

Static

static

3

41ad149f60...df.exe

windows7-x64

8

41ad149f60...df.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 11:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe

  • Size

    367KB

  • MD5

    def4836b6232998a6986414348449b90

  • SHA1

    812b170840100f737d26c0e7372383669286018b

  • SHA256

    41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df

  • SHA512

    162e21adf04e30c30caaa2f216a0970ceeb66f80fb69e4e019264c8bb299450b848c225e84bdc9588f4563cfd422d8c5c9c96a6ad3759c481c000621c6e0f95e

  • SSDEEP

    6144:s46tGdy1ZCH9L5d5ezLqIFQSDdABbSbIrx1L1l3ERF:s3N1ZCH9Eq+0BbSox1QF

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
        "C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3548
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CE3.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:988
            • C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
              "C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2712
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3568
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1544
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3220
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3764
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2948

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  e5f3998bc1c22dc6c2154324ab8b8a88

                  SHA1

                  8acf8da53c10a9fab6b724f7a68d3bde5e604cfa

                  SHA256

                  81f9b42615679d706c582a9e907676b579a085efaf344b1b5bf84049863f1ae3

                  SHA512

                  a8ba3a323a02852e054eacce19bb948b4a7a5f162d31e65ff051b4e6f616b4876dd90363dca963b3cb17f9cccf7db8210b7c8782bfddd6eaa561db3727275238

                  Download Submit

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  d52ceaa1ee5b9400196c358deb52a00d

                  SHA1

                  f67ccf882e4f8e0c4bb13dcd7a1eee282e54e896

                  SHA256

                  321cc62309a93d55bcb78c6bda3158ef36dcea5a20d34886ad475de4723a9cc6

                  SHA512

                  2b759e053c4f952e79d6999c3f64571422e2fe5a1737e30131240c32d70fed8c301db56d9f23c28b1a6a98a6eb1dd46e1a38afa957a9638ce9ed2ec6ce7183be

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  644KB

                  MD5

                  d9b62e4240dd99918ec39a90574fcc1e

                  SHA1

                  aca7b6d133487779dad04399979342285ac7ac74

                  SHA256

                  3c9be9eeff4911ecb235ec57a0c90c6db74b371d45c7a6fae2afac78a1bf1391

                  SHA512

                  8980894349e1d3708f8176fcfc23675061d402126a77af27e6eb61d4d67d41bb2b1e743865f1626a77cca89aff29aa24d21c8cf3f879aba9bd8c0b9a035b8026

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a6CE3.bat
                  Filesize

                  722B

                  MD5

                  52624e4f6dd0d5ce38249fc0c495c840

                  SHA1

                  854669a3c2b4a9d689e5c1e30cf60a0c2ee824c6

                  SHA256

                  2a35352fd96b47cff205c6133c8d9ef7bb163e10543ff7d6640ea6cb4b8f6768

                  SHA512

                  80a6c5989a1915e5978fc00a26c68984761225673e9dbec3adfe3f9c0886851c72e0bbd67c8b83f908589df4b6303610d62aad348f47d3b0fae9735323e462a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe.exe
                  Filesize

                  333KB

                  MD5

                  e5b38b9828293047f0352f7a38a22fb1

                  SHA1

                  681311628ac93f84371b2a069fa220dc89a3f672

                  SHA256

                  b85aeeaede189d9f56c843281a492cd8ada329f0b5b8b03d5a813eba3a290b61

                  SHA512

                  ed3e369451b938a556fb561afd6fd3ff5cfc93e386b035014fd4824a808f1e92e6d095ab33c340e6cd64ee00122fbd882abbcf0e15f3ffdb29a4fb9febe42920

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  2153cf354da7c307172859614f3a9c3b

                  SHA1

                  2a629da1c13602d6e88d71f9cfb19b7905c73516

                  SHA256

                  211a8f8795cc63347bc74cdf2769606e087f73dc885dcde698c5c332be261d75

                  SHA512

                  d4f19b8eb6933334d0267b7ab71066bc81af6b52302e70ed3ac7fe0d8164b4cbe1020f2a7b844031fc326a07e9e155c4b3754a560996c585d31ea28ed9c644ac

                  Download Submit

                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  842B

                  MD5

                  6f4adf207ef402d9ef40c6aa52ffd245

                  SHA1

                  4b05b495619c643f02e278dede8f5b1392555a57

                  SHA256

                  d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

                  SHA512

                  a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  31874817e0fb055be8d2c971c0e3bbde

                  SHA1

                  ee8a35d6a86cb6d13f354d67d912e194bb09c74b

                  SHA256

                  94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

                  SHA512

                  55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

                  Download Submit

                • memory/3088-0-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3088-12-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3568-20-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3568-13-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3568-5178-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/3568-8649-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download