Overview

overview

8

Static

static

3

28f9014ef8...d3.exe

windows7-x64

8

28f9014ef8...d3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe

  • Size

    53KB

  • MD5

    11b8817a1db9277f0052a62660ec600e

  • SHA1

    b0e4bd9a440ea87618bfd0f759f17ec0c6b9701e

  • SHA256

    28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3

  • SHA512

    61cfe18d95dbac2eb90cf1cddb72ac504e5acb4c6a00d59450b438c1509bd31979f12b2415a919e254d7007c26fc31183bc56ab59583d5c1d3a88ee95d53a1d7

  • SSDEEP

    1536:PhUaYzMXqtGNttyUn01Q78a4RgphWNFaWp:PhUaY46tGNttyJQ7KR0WDzp

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1132
      • C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe
        "C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2612
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2B06.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe
              "C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"
              4⤵
              • Executes dropped EXE
              PID:2728
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2960
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2604
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2428

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ebb1acf3749aab2799316e438dfdbdf4

            SHA1

            704fe023ab74891eeff0ba9779303aff0b0da5aa

            SHA256

            2f7d16cda5245419705eeff7f92014c5d80e91d8a2d04beff74d79f832f7e77f

            SHA512

            ff93751e380f95501d316a68f459a42e116d3ca10a1d609f4f48ca679e5b9c820021ab2c1869a8d13c5a47a291a3f81e6e22966f41ed55f0f4d64a65902bacb4

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            db30f5e16c744915af12c09f1ccf3e41

            SHA1

            d5feb47e0ca1c47b0a4cfc90be501e97f613ce90

            SHA256

            cfc87b2273f90e5125ca09d4fed15c56a82dabc54e418301f8ce23476201950e

            SHA512

            ff466c60abd62f72cbe687d48fcc485855e0df65599da37112d3872324176bf68428c312d8fbfaf20deba2295b2c7fc51129436a73ba8bdc58836289f6a47f6b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a2B06.bat
            Filesize

            722B

            MD5

            153ffbf3dbdc72f8a4fe6290db53ff44

            SHA1

            b86ab7ea3adc9ea9e572bce154acc8e268f7a43b

            SHA256

            a1204cec4597b38657171f548f317a4b4b60ada917cfef1efd3ab55e03f66f70

            SHA512

            2644e61b3ae40f4ee0398e0acaad02c77bd2ce5a5403c41fec01f48db201ede5d6b8244b6d20a767fcae4ea817e6932ed198edafcb1befadc4616812ab1b5b8a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe.exe
            Filesize

            19KB

            MD5

            d7acce9a9cc1c75c377dad3c79eba7ff

            SHA1

            9c1a0eb12e8cac44ecbde6dac2d6e4852e21e0b3

            SHA256

            0e4d0729fac0a78ae1fef66333e70fdce7c643ed84dd9033ab022111c61fd5a4

            SHA512

            10716d1fdf3467348476130fb4a118c0cbf2064397bd53f1e0c709c0463693f06d2d1ab070eb85fb87bccb4cb06d213c3c0cd25ebd1635e61dc7a6ea043e4447

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            b889976a7791068af99766aca8f357d8

            SHA1

            146247c065098fb7f98f6cc1094825486b77d65c

            SHA256

            2d86f486401387ff3dcf30a8ffca900063a26c269b2e44bc1b925cbfafc30e92

            SHA512

            bad98a62f1e63adf7fef79f14ea027179ad4255a862f30114918046d14c89256cd2f5dcc3044941ecde471d9ede8d18a4ee040ca300cd1a9b9243aabbeee9558

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
            Filesize

            9B

            MD5

            e850d9ceb7ebcc619d731dc2f1377b2b

            SHA1

            a45553c9057075c02e28f90d5e8ea57a0dddbacc

            SHA256

            b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

            SHA512

            be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

            Download Submit

          • memory/1132-30-0x00000000024E0000-0x00000000024E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2400-18-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2400-17-0x0000000000230000-0x000000000026E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2400-1-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-34-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-22-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-3310-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-4138-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download