Overview

overview

8

Static

static

3

453372644a...06.exe

windows7-x64

8

453372644a...06.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    23/05/2024, 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe

  • Size

    1.4MB

  • MD5

    098bafba016c54de4e4da3806a1815bf

  • SHA1

    8b458a9943f3e57807955d894525384d966135c6

  • SHA256

    453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806

  • SHA512

    01a6c9cce804e168c4595cbfaa904b21bafc04f64c7d8f41af44e647b404311eb282eb4ca04240b8aa45e34b3b8dc0ee5971d41c9e619a4d6f1194d6fcb77357

  • SSDEEP

    24576:i3NmLZmQR3caJZLZmvNzc0TDZodoSRsfHMbvmQakU:idiZmQyaJ1ZmFcqi+SRAG+J

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1116
      • C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe
        "C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1444
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9B1.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe
              "C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe"
              4⤵
              • Executes dropped EXE
              PID:2500
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2176
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2488
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2684
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2512

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            a389cb0f00dfd2e48dd91b2bd099de9a

            SHA1

            4714e5c470a195516170b13ba41d6d54ee79f37c

            SHA256

            e30b8c7f851994e28ece48dc0ddeb66bb97e096eb7212812d66631e3b48246cc

            SHA512

            c7d2e9f190cdaf6bb69ea19d7993d816d609c8e7ab7d217d9df33be3563239e299d18499f345b2393778b0f8afa4e9be660fc57dae62f2b7434b9cb90b9ad6b7

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            5a4669bf1382e7b9672b287ef6a5d990

            SHA1

            582120da714e9bd8783dcb8fa5218260f35e7399

            SHA256

            4b4df892d26fed910b2a4556a21b9da130c9af659b79b0411a30fe6c90b74820

            SHA512

            c9b970be0d22e5c8b94bcc6569fbf8570b924ce7dfe1a36b0cc5ee221448af4a1b6016a8891c1bd421040d3cdf8b3b79dae693b4003fac90354f2bea5361b1da

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a9B1.bat
            Filesize

            721B

            MD5

            8770d8da33ddcfb2588d047f7b1578ca

            SHA1

            b1c0893c446d9461359f275ccdcc63edc3f7766e

            SHA256

            3775ce503033c1c371f22b8aa6affb9551b26c3bb0a67f81cc8853e66c30a3b2

            SHA512

            06247241eabf3b9ce304fbff18c5dfab7dfca2441de589e9e7b49a4123a75787487f9e1458188551cb641ce917b94bb375763a6cab6bbd0cce9017e96ba9ef1d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe.exe
            Filesize

            1.4MB

            MD5

            15e52f52ed2b8ed122fae897119687c4

            SHA1

            6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

            SHA256

            8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

            SHA512

            338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            433a682a57f792e39d4cefb612d5a4ba

            SHA1

            20e44932ad602cf24e2556797b88b065296f4f23

            SHA256

            9b80ad539947f80b714bf1c2fca19441f6b2529eade8938a45ad84b82b4c8bf9

            SHA512

            f3dedeeb30f9c8bdeb331961a498fca00b273f17920b760455ad5fae17a20d17f474b73d24097fc8241dacfeb7113a0c4570eaa000a41ffd98673f935f8bec14

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini
            Filesize

            9B

            MD5

            31874817e0fb055be8d2c971c0e3bbde

            SHA1

            ee8a35d6a86cb6d13f354d67d912e194bb09c74b

            SHA256

            94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

            SHA512

            55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

            Download Submit

          • memory/1116-30-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2248-18-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2248-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2500-26-0x000000002FE61000-0x000000002FE62000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2668-34-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2668-19-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2668-3305-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2668-4136-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download