Overview

overview

8

Static

static

3

9331432fdb...52.exe

windows7-x64

8

9331432fdb...52.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23/05/2024, 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe

  • Size

    96KB

  • MD5

    9bdf0654c011c9bc298f3f1056cbb4ba

  • SHA1

    bf68ac2e43de63dff313e9329752cbc7b7a9d6b3

  • SHA256

    9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952

  • SHA512

    4ddca742115f3dc19e397156e88139d35918f36dcf1c041476c6b5050df32659d3dc9f1543b9a102c370dda199ce0fbd4c4550207fadd61053b694430a894e8e

  • SSDEEP

    1536:rGFaYzMXqtGNtty1yVumRTTChUzS40nWzpXVP/XVXDEiC04pmI+Wy:rGFaY46tGNtty1X0+WzpX9XVXDnj4ry

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
        "C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2028
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a14C8.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
              "C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe"
              4⤵
              • Executes dropped EXE
              PID:2576
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2960
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2732
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2620
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2608

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            e194e3f599f585b521b00ba7d99c03a5

            SHA1

            2ade918605a7a60bcc840819b52c6fb5f470921b

            SHA256

            b70334eb15d0c19fcb70b2d250e32a01f1a17bd230401155d3c4fe3065242aa9

            SHA512

            b7e3c0741cc3ac540da389b2fa66501e1a6c433ab0b22c99b38f40dc57d940d81979b08859d8daa67cd002b02ead5daac4ad9cafce5186bf35b536f6de4b7957

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            5a4669bf1382e7b9672b287ef6a5d990

            SHA1

            582120da714e9bd8783dcb8fa5218260f35e7399

            SHA256

            4b4df892d26fed910b2a4556a21b9da130c9af659b79b0411a30fe6c90b74820

            SHA512

            c9b970be0d22e5c8b94bcc6569fbf8570b924ce7dfe1a36b0cc5ee221448af4a1b6016a8891c1bd421040d3cdf8b3b79dae693b4003fac90354f2bea5361b1da

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a14C8.bat
            Filesize

            722B

            MD5

            4eec4a9020b4bb0dee8b392a54ecaa91

            SHA1

            d4157eab400b120764d33946eeeccbf84b741153

            SHA256

            e41f9175e41cbc1f9cfc71238807a4e4044bf65590a1a5116765aeaf4e9fc7f7

            SHA512

            8c3b62f7297c444f47f6094d809c24ea54786509585f7ff7db59a0dc491c92ac4a5606556d1581659dce693d699d4fa7ff55efc9f792680011a6f8a418478b3d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe.exe
            Filesize

            62KB

            MD5

            c54f1fc981737d618eaab97ba5df6614

            SHA1

            7d4422e8c078f2699093effe564854748b62bc7b

            SHA256

            2a96aa7b2e19c2f7970c258a7760e5cd503442ef5375edca947488fc2d8374c4

            SHA512

            85a454cc272fb6bbe69d833a22a16c3882b899c8dc92b2ae54423c75758c8fd5df683d1deb82bc5de859e96c72b52cc9aec7699cb90f621e9cdc5852e931d65a

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            0c024d12adef144def06e6f299357485

            SHA1

            896f33f1c0bc5c6644094f07d44e2bcc377958bb

            SHA256

            df70e984201f34822e49a6da9037e738e596a51d3e190cf4b76b8c64ebd3c30d

            SHA512

            072a920b5fd0373d40947b9410becd9df1bfdff8913bb0650272a3e4c46b29b826b42998b61426b7eb6fa8d081066d0b0aa183dbf0044e9119b10f9a3faae09d

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            9B

            MD5

            31874817e0fb055be8d2c971c0e3bbde

            SHA1

            ee8a35d6a86cb6d13f354d67d912e194bb09c74b

            SHA256

            94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

            SHA512

            55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

            Download Submit

          • memory/1208-29-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2040-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2040-18-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2648-33-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2648-19-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2648-3280-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2648-4103-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download