Overview

overview

7

Static

static

3

bdce9dfb06...d1.exe

windows7-x64

7

bdce9dfb06...d1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe

  • Size

    74KB

  • MD5

    46d409810632a27f2d92454314d56f36

  • SHA1

    b93c3ae289a74ed53aea07dd97b6b1f5dbe39008

  • SHA256

    bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1

  • SHA512

    18469877a470e50b74ed00dc734cab0a7456de4c35c670d7d68345cee43217470f4438ebabc30d892a301afc5feeba0f3b2834907ac8d2c4fb3ff5c50ec53015

  • SSDEEP

    1536:/tmSe+Zk78NR3dN5nPAEToa9D4ZQKbgZi1dst7x9PxQ:/xe+a+3dN5QlZQKbgZi1St7xQ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3532
      • C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe
        "C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4160
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2432
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a495D.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4164
            • C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe
              "C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"
              4⤵
              • Executes dropped EXE
              PID:3696
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:412
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3612
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2152
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2928
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4532

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ce1ebc3c0c328e142eab47b6635f807c

            SHA1

            5576885f6e7f2abe82df076a2d27af32eebb4c0a

            SHA256

            58eb636f0448ed27f1c1c30503a7888e2913dec4b408e22e46f7edf574375870

            SHA512

            f3a1be84df1ea85519589ef8b17738bf19202c444992b0d18f802d4e1ca57224a0b2e57371635a21c4cd967cb112eea9c338dbe07eb08d1c44316c5c2379b407

            Download Submit
          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            910284bbd7c634fe066813e80f33296d

            SHA1

            97399b7586901e6b9e046bf9ef230103c54d2e1f

            SHA256

            7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b

            SHA512

            18dd89ea3ed8f270b71bc756dbd1d9eb406f03de2fb9813bbd7f08289148a28f459b21e8a5fbdab442de6face435cbd51806c8a9caf42906ab653a7d2075b58f

            Download Submit
          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            b06c23c388c6c6a3219fdaf5efaabccf

            SHA1

            ada13c3c4449d222de774ebd037078ba31d33cd2

            SHA256

            8efeb8be3a4ae59e4106e6c1d9e122d8ecb84b71cf01796f27d94ecfe80e0809

            SHA512

            aefc2fbbf660ee465ac7f174ab8f3de242c352d473a02ee96214d29a5e854e88c7ad842685bdb81698c8d51e0b597d7379c3a039e704839be748fe96a68c23b9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\$$a495D.bat
            Filesize

            722B

            MD5

            480a4bb2d5969be1536777789886d1a8

            SHA1

            344fb5f7b63ae9811236165a3c91736bc93cb953

            SHA256

            4a6b4eb5a61ec4e83747829420a1d5869f71ea169dda98ccf3a78f4326e0e102

            SHA512

            c2ace12d233bdabb7f42482ea67ca5f7f92702146e0d45c52a488e79854c6d836845de8085f27b438f1c984acf86b7915f7782795afb946be92c647ec4aedc9f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe.exe
            Filesize

            41KB

            MD5

            977e405c109268909fd24a94cc23d4f0

            SHA1

            af5d032c2b6caa2164cf298e95b09060665c4188

            SHA256

            cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

            SHA512

            12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

            Download Submit
          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            05ebb4f9455d52366f013e63d099d41f

            SHA1

            f3d867260198c5be6f0f1e796d517e8ad75b2173

            SHA256

            05362547df367881bc8a8956b74adf5e7d0c641ad3a6defce8751787503af3f3

            SHA512

            573fea3c1964ce511986b959789ec3e170ba5d668cab0c201e6ac27c6d23b04250910871b2fd22ad6558d20a2aa2da0380cf9594aa8a33d1315f364a8d697a2f

            Download Submit
          • F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini
            Filesize

            9B

            MD5

            31874817e0fb055be8d2c971c0e3bbde

            SHA1

            ee8a35d6a86cb6d13f354d67d912e194bb09c74b

            SHA256

            94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

            SHA512

            55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

            Download Submit
          • memory/412-11-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/412-18-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/412-5210-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/412-8666-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/4764-0-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/4764-10-0x0000000000400000-0x000000000043F000-memory.dmp
            Filesize

            252KB

            Download