Overview

overview

8

Static

static

3

0860aa8aa2...da.exe

windows7-x64

8

0860aa8aa2...da.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe

  • Size

    563KB

  • MD5

    50a7b06f3853ddf8a3770f10c2dd03d1

  • SHA1

    29de6d7d2fb62b3396583b64cf2331a17da418f6

  • SHA256

    0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da

  • SHA512

    9b4b1fec3fa3d9c981b3c2bca3dd1464d9360a7da4c0d88b7ba057ec6baa8a6de9300c4ef125d50132452d668d809b0d5238d59f595ef7e3326c77a2fb6155e2

  • SSDEEP

    12288:e3NKc9iJafmm2VYK+UNo0RweQfoAxHv9sN4A4H9J618UtQ43iUa:e3NCVm2VZQwy9E1Vf3M

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe
        "C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4472
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1204
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F99.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe
              "C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe"
              4⤵
              • Executes dropped EXE
              PID:2116
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3136
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3088
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3032
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1108
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2196

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            57613a0bf037dbaa054046d8f4f66293

            SHA1

            f214da75c0330d3d0af36de2f787d5de5d618d33

            SHA256

            9b8a4462b2ff424cc543be6811037234af9e665fe2d0c182a2c49cb279f658ce

            SHA512

            8e0883d3f66f38c99a213bdfa1b6a2e7caba04577b23ff84727e9ee3b7ad3ab544ac8497667d6da83121afca64ec7dbcc55f45e1b7d7cfefa9e7dce8f5c0095a

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            6af0276daf4b0881b2ccd0260c97d745

            SHA1

            2634162c71375235a0bbb3e1e96f68d189976f14

            SHA256

            a9ad77b62747288cb511b2a172b6102c62b73f323e2731752cbc12db7ff6f8b7

            SHA512

            057dad7cf240f6234983c5f8839af1ae61da089a1047ffca5a85d6ab75aedf30e6fe0ba41a44db12880450208a99e914d656cab146ab24692b2b36e27810034d

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            c68e034d324260384602839c6e3295de

            SHA1

            add6ebe18274a2afd7756fcb2b5be590125eff7f

            SHA256

            8317babad7376315f76f48454d7f4057d60f2a13f0e469a7c877473b220af74f

            SHA512

            7c956a76088bae2a425fc13f8484027ae04bc9995b7ca85a92125801e0676ff660c2a1fcb4640424883455bc10a84d39788032d884e7b64178693b1a2a0885cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3F99.bat
            Filesize

            722B

            MD5

            9a4175357ce8ee7e01b97bb8c792090f

            SHA1

            502b0e66f390d171178072aff24763e4eab58baa

            SHA256

            8096a4ec23ba9252253fecae92dbd3bd0703da6eaaef8095ba474fdfef98d039

            SHA512

            de62004070035313a223376587a3152e3c03a9a51335463b9ab0edc034090830e9b1963a14e535368109603b3d2917b6ecbdf4db5349398a5f3ae91a47192f4e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0860aa8aa27afd81c6b7500e3f11e1320045f2880976b38a2d06a5efbff394da.exe.exe
            Filesize

            529KB

            MD5

            cca0c5482b8a6a275d9d49433f435dfa

            SHA1

            a72ae8621386e13c34055f612ae7612b8a18a39e

            SHA256

            6ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365

            SHA512

            b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            c6b1299bf74d10873fcd4c1c137f1f57

            SHA1

            5e1fa89cb83ef4395a42783da9a7eb397224dc4d

            SHA256

            b42be509cecca65453f15d6f60a9c2e78efeedaaf08c2d021d8353e3aea7a675

            SHA512

            4ba21ec9e3cd17f7274578fd2953b91f902ddd539b078aab36f3fe8ca24398e478d218ef949710f81b225c2d20fc4317784302a42132e23be03fbc128cdef925

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini
            Filesize

            9B

            MD5

            e850d9ceb7ebcc619d731dc2f1377b2b

            SHA1

            a45553c9057075c02e28f90d5e8ea57a0dddbacc

            SHA256

            b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

            SHA512

            be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

            Download Submit

          • memory/1228-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1228-11-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3136-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3136-10-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3136-5124-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3136-8698-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download