Overview

overview

7

Static

static

3

de8e3ac9aa...19.exe

windows7-x64

7

de8e3ac9aa...19.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de8e3ac9aafb7973477e82db7fbdf234007b82d25eb21dbca120cd8f1a278c19.exe

  • Size

    852KB

  • MD5

    8a5746ecc73037d3383e78321c8f13c6

  • SHA1

    d0038e9133d9e0c6d55a8f66750605adb5c7df3e

  • SHA256

    de8e3ac9aafb7973477e82db7fbdf234007b82d25eb21dbca120cd8f1a278c19

  • SHA512

    8ee52d81e933c4698c2b514bd1b7e0f222757038274f212c173259288b4e0662a3edd4c76c8561163b0477a7b8175942538be119956859f2c4beaf8fb3dca74a

  • SSDEEP

    24576:L1q51q1lx7SqE0xJ2pm8FiWCm3LHgZpJEHp3/:U1q171dxJ6mAQm3LHkJEJv

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\de8e3ac9aafb7973477e82db7fbdf234007b82d25eb21dbca120cd8f1a278c19.exe
        "C:\Users\Admin\AppData\Local\Temp\de8e3ac9aafb7973477e82db7fbdf234007b82d25eb21dbca120cd8f1a278c19.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:184
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:732
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5B10.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2176
            • C:\Users\Admin\AppData\Local\Temp\de8e3ac9aafb7973477e82db7fbdf234007b82d25eb21dbca120cd8f1a278c19.exe
              "C:\Users\Admin\AppData\Local\Temp\de8e3ac9aafb7973477e82db7fbdf234007b82d25eb21dbca120cd8f1a278c19.exe"
              4⤵
              • Executes dropped EXE
              PID:1392
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3372
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1980
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2756
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4972
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:448

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            c41a2d76081e9fc371d69ae2956408c6

            SHA1

            d026980a0961f0a9009b6d208c0f692577638a0d

            SHA256

            fc296521d6121bc74b6e7e43d97f4994d829d5e36d95ade3d71523bf8b289bf4

            SHA512

            fd6dc9ba513b3244e03655e7e32f4f346525f266f61064a5584896fbb6f630e0d3d2ddad6fd492c136d27204382a986d10da84f4dde1b081ab8e18f8585239be

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            d7e456d0fc75d57d135b524072ef3883

            SHA1

            1951c4bb2bbe40c5ac1446ce221e0ed649b46ed7

            SHA256

            1a4633f76c3518b84fc12280ed0aa97294c2818999663de045f0c30949aefade

            SHA512

            bfa24fd8e9f771142b808ef0340b5cd2468f012a7be827d54497e91e59e9a7a246a3f35be3bae0ea6fcac58b0cb7a2229851ac27fb740a66439ee6b62cf4f113

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            9363a720e098b38389b25a7b18cfbcdd

            SHA1

            7b5e835b22262b47e6042e7aadecc67dac05f7db

            SHA256

            10579b661dade8697f252204f241952eb2029ea6978165f9336fd60a72b3205e

            SHA512

            564b873358ebe4d4d194b924e9934cb5c1666df901db2556e8cbab8276f8c4380a5bee157cc8eb2063fe0f48a1d0dc1cf339d3d3040d764c974e1c46b0870f88

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a5B10.bat
            Filesize

            722B

            MD5

            9b4fc2ef4cf2283e4603b72a5307b217

            SHA1

            0d93c5eb7ae6c6f0563d2340b3726714e30f1c0a

            SHA256

            9ef4a6d18db3137dc6dc5546a4db490473fde0062bcb8a0724bf9a1f14261d3e

            SHA512

            a3eb40f326d28da573303f6dce6441cde54b5eaa935a5e5d3202084257fa510000bbcb3286e834e276f28bda5bd851fe7d286fb93f5df64ad725c23c3248d4b1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\de8e3ac9aafb7973477e82db7fbdf234007b82d25eb21dbca120cd8f1a278c19.exe.exe
            Filesize

            818KB

            MD5

            a41e524f8d45f0074fd07805ff0c9b12

            SHA1

            948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

            SHA256

            082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

            SHA512

            91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            e682314b26d8f9accc07a69b51a30227

            SHA1

            5c24a48ceaa54d6dc29043b6f984d15b0f137ea8

            SHA256

            e9231881dbb55dd716ff2b655b5c08d134abd4f00f7f24c7cf864984f07e0d39

            SHA512

            934c44c221f9b3b1d4bf6f854cac17be65ea9b53b9844b05f9106bf7ffbe985ade37517bb97061dd302a3840a1c7b1ca16cc37e1935a28495afef44716035ccb

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
            Filesize

            9B

            MD5

            fa1e1ef0fdda97877a13339b28fa95e5

            SHA1

            7e2cffca41118e7b2d62963bd940630b15b85653

            SHA256

            968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191

            SHA512

            3d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f

            Download Submit

          • memory/2960-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2960-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3372-21-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3372-4732-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3372-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3372-8645-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download