Overview

overview

8

Static

static

3

0860aa8aa2...da.exe

windows7-x64

8

0860aa8aa2...da.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe

  • Size

    563KB

  • MD5

    50a7b06f3853ddf8a3770f10c2dd03d1

  • SHA1

    29de6d7d2fb62b3396583b64cf2331a17da418f6

  • SHA256

    0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da

  • SHA512

    9b4b1fec3fa3d9c981b3c2bca3dd1464d9360a7da4c0d88b7ba057ec6baa8a6de9300c4ef125d50132452d668d809b0d5238d59f595ef7e3326c77a2fb6155e2

  • SSDEEP

    12288:e3NKc9iJafmm2VYK+UNo0RweQfoAxHv9sN4A4H9J618UtQ43iUa:e3NCVm2VZQwy9E1Vf3M

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe
        "C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:500
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2428
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a13B0.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1968
            • C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe
              "C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe"
              4⤵
              • Executes dropped EXE
              PID:2576
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2584
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2504
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2580

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            57613a0bf037dbaa054046d8f4f66293

            SHA1

            f214da75c0330d3d0af36de2f787d5de5d618d33

            SHA256

            9b8a4462b2ff424cc543be6811037234af9e665fe2d0c182a2c49cb279f658ce

            SHA512

            8e0883d3f66f38c99a213bdfa1b6a2e7caba04577b23ff84727e9ee3b7ad3ab544ac8497667d6da83121afca64ec7dbcc55f45e1b7d7cfefa9e7dce8f5c0095a

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            db30f5e16c744915af12c09f1ccf3e41

            SHA1

            d5feb47e0ca1c47b0a4cfc90be501e97f613ce90

            SHA256

            cfc87b2273f90e5125ca09d4fed15c56a82dabc54e418301f8ce23476201950e

            SHA512

            ff466c60abd62f72cbe687d48fcc485855e0df65599da37112d3872324176bf68428c312d8fbfaf20deba2295b2c7fc51129436a73ba8bdc58836289f6a47f6b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a13B0.bat
            Filesize

            722B

            MD5

            b71d3f4c413e78f98358272f3e076715

            SHA1

            9cc436271dccbe12a846c87761063c6086b1ceae

            SHA256

            1e31080e053366d93083323d70d8e6e5664c08421b20de055dea1b96e3e4da11

            SHA512

            db52abec12bfcc4b0c77070f4ef65817e894e9dc8423310f11243352387cda30d50a3d460599a05c05b463bf258eb70db4af60b4c8a97db6166ee8e0c0ebfba0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe.exe
            Filesize

            529KB

            MD5

            cca0c5482b8a6a275d9d49433f435dfa

            SHA1

            a72ae8621386e13c34055f612ae7612b8a18a39e

            SHA256

            6ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365

            SHA512

            b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            c6b1299bf74d10873fcd4c1c137f1f57

            SHA1

            5e1fa89cb83ef4395a42783da9a7eb397224dc4d

            SHA256

            b42be509cecca65453f15d6f60a9c2e78efeedaaf08c2d021d8353e3aea7a675

            SHA512

            4ba21ec9e3cd17f7274578fd2953b91f902ddd539b078aab36f3fe8ca24398e478d218ef949710f81b225c2d20fc4317784302a42132e23be03fbc128cdef925

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            9B

            MD5

            e850d9ceb7ebcc619d731dc2f1377b2b

            SHA1

            a45553c9057075c02e28f90d5e8ea57a0dddbacc

            SHA256

            b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

            SHA512

            be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

            Download Submit

          • memory/1204-30-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2328-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2328-18-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2572-34-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2572-19-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2572-3281-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2572-4104-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download