Overview

overview

8

Static

static

3

453372644a...06.exe

windows7-x64

8

453372644a...06.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe

  • Size

    1.4MB

  • MD5

    098bafba016c54de4e4da3806a1815bf

  • SHA1

    8b458a9943f3e57807955d894525384d966135c6

  • SHA256

    453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806

  • SHA512

    01a6c9cce804e168c4595cbfaa904b21bafc04f64c7d8f41af44e647b404311eb282eb4ca04240b8aa45e34b3b8dc0ee5971d41c9e619a4d6f1194d6fcb77357

  • SSDEEP

    24576:i3NmLZmQR3caJZLZmvNzc0TDZodoSRsfHMbvmQakU:idiZmQyaJ1ZmFcqi+SRAG+J

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe
        "C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2228
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a470B.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1084
            • C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe
              "C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe"
              4⤵
              • Executes dropped EXE
              PID:1900
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3156
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4876
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2468
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2896

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            a389cb0f00dfd2e48dd91b2bd099de9a

            SHA1

            4714e5c470a195516170b13ba41d6d54ee79f37c

            SHA256

            e30b8c7f851994e28ece48dc0ddeb66bb97e096eb7212812d66631e3b48246cc

            SHA512

            c7d2e9f190cdaf6bb69ea19d7993d816d609c8e7ab7d217d9df33be3563239e299d18499f345b2393778b0f8afa4e9be660fc57dae62f2b7434b9cb90b9ad6b7

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            75f5ac744a4238998bc4b83cbccd698e

            SHA1

            621193df875ccebf92646d9f0f187fc63d3547fe

            SHA256

            ab1fb29d612fb709943e565990d26977391d1946f5568fcb3aec702d17b0929a

            SHA512

            c9b22223637f52b2603ee75a29cead490af3f90ec55641af016b3f669448c8b528bc3afc6d8daeecd91dff5bf0b67b8f52b929465ac49731af852ab491263ab0

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            d9b62e4240dd99918ec39a90574fcc1e

            SHA1

            aca7b6d133487779dad04399979342285ac7ac74

            SHA256

            3c9be9eeff4911ecb235ec57a0c90c6db74b371d45c7a6fae2afac78a1bf1391

            SHA512

            8980894349e1d3708f8176fcfc23675061d402126a77af27e6eb61d4d67d41bb2b1e743865f1626a77cca89aff29aa24d21c8cf3f879aba9bd8c0b9a035b8026

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a470B.bat
            Filesize

            722B

            MD5

            159d6d79414f43a42946c4102e2d96ea

            SHA1

            36fe8436a18ee89cb905e7b25de95412e205a5f3

            SHA256

            f325abb4ef494d8325d9a0350142749bab7c5076f244f68d4fa3c0ed5116caa3

            SHA512

            e4a9b6c16bbb4e2bf82daee0506cb1e2cb87fba18e2d4a435f3663f78621f0eeeee6edd3c368939bacf1edcb500bce76dfeff987451d3d11bfa06938eede5a40

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\453372644a62bd510b86cb5da7c7591833df095280aa9650287359fa5967a806.exe.exe
            Filesize

            1.4MB

            MD5

            15e52f52ed2b8ed122fae897119687c4

            SHA1

            6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

            SHA256

            8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

            SHA512

            338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            433a682a57f792e39d4cefb612d5a4ba

            SHA1

            20e44932ad602cf24e2556797b88b065296f4f23

            SHA256

            9b80ad539947f80b714bf1c2fca19441f6b2529eade8938a45ad84b82b4c8bf9

            SHA512

            f3dedeeb30f9c8bdeb331961a498fca00b273f17920b760455ad5fae17a20d17f474b73d24097fc8241dacfeb7113a0c4570eaa000a41ffd98673f935f8bec14

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini
            Filesize

            9B

            MD5

            31874817e0fb055be8d2c971c0e3bbde

            SHA1

            ee8a35d6a86cb6d13f354d67d912e194bb09c74b

            SHA256

            94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

            SHA512

            55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

            Download Submit

          • memory/1900-17-0x000000002FC11000-0x000000002FC12000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1944-21-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1944-3241-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1944-12-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1944-8694-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4840-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4840-10-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download