Overview

overview

7

Static

static

3

bdce9dfb06...d1.exe

windows7-x64

7

bdce9dfb06...d1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe

  • Size

    74KB

  • MD5

    46d409810632a27f2d92454314d56f36

  • SHA1

    b93c3ae289a74ed53aea07dd97b6b1f5dbe39008

  • SHA256

    bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1

  • SHA512

    18469877a470e50b74ed00dc734cab0a7456de4c35c670d7d68345cee43217470f4438ebabc30d892a301afc5feeba0f3b2834907ac8d2c4fb3ff5c50ec53015

  • SSDEEP

    1536:/tmSe+Zk78NR3dN5nPAEToa9D4ZQKbgZi1dst7x9PxQ:/xe+a+3dN5QlZQKbgZi1St7xQ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1132
      • C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe
        "C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2AE7.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe
              "C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"
              4⤵
              • Executes dropped EXE
              PID:2960
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2588
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2436
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2928
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2544

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ce1ebc3c0c328e142eab47b6635f807c

            SHA1

            5576885f6e7f2abe82df076a2d27af32eebb4c0a

            SHA256

            58eb636f0448ed27f1c1c30503a7888e2913dec4b408e22e46f7edf574375870

            SHA512

            f3a1be84df1ea85519589ef8b17738bf19202c444992b0d18f802d4e1ca57224a0b2e57371635a21c4cd967cb112eea9c338dbe07eb08d1c44316c5c2379b407

            Download Submit
          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            3e2d3392a9d3ae3ed27661f81e853478

            SHA1

            fa8c023a3bff75e89ed39f5d4bfb5693d818ca8b

            SHA256

            09da8a31b7f420b9e4ed6d02e698bcc12a4f3efa46a53d1492a241a5784d44a8

            SHA512

            27652a29d728b92995b8ce46b150cd14baf5b65789591085ef3fa959dbc99efaa071b7a014ccaabeb6e84cdea642769dc98a7a1684afcda9be82dbb0b8d3fa17

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\$$a2AE7.bat
            Filesize

            722B

            MD5

            2a32099f3b0725f743990ca630a078ca

            SHA1

            16f688ba54120715a909a0a15e86570111518f3b

            SHA256

            6bb0cc11f9d84203fcd7bdea77bbb18e9b976b9a093b6993f3213c3d8b655229

            SHA512

            89eca014d0aa8525e312ffa82d7b0db563db92c69ad12dfc6709f61c1b6e78eb61317c03deee001c730132ebd418684fd00bdd5d59cf5ad300a983891c0ed362

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe.exe
            Filesize

            41KB

            MD5

            977e405c109268909fd24a94cc23d4f0

            SHA1

            af5d032c2b6caa2164cf298e95b09060665c4188

            SHA256

            cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

            SHA512

            12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

            Download Submit
          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            05ebb4f9455d52366f013e63d099d41f

            SHA1

            f3d867260198c5be6f0f1e796d517e8ad75b2173

            SHA256

            05362547df367881bc8a8956b74adf5e7d0c641ad3a6defce8751787503af3f3

            SHA512

            573fea3c1964ce511986b959789ec3e170ba5d668cab0c201e6ac27c6d23b04250910871b2fd22ad6558d20a2aa2da0380cf9594aa8a33d1315f364a8d697a2f

            Download Submit
          • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
            Filesize

            9B

            MD5

            31874817e0fb055be8d2c971c0e3bbde

            SHA1

            ee8a35d6a86cb6d13f354d67d912e194bb09c74b

            SHA256

            94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

            SHA512

            55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

            Download Submit
          • memory/1132-27-0x00000000024E0000-0x00000000024E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2400-0-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2400-16-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2676-31-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2676-19-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2676-3347-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2676-4175-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download