Overview

overview

8

Static

static

3

28f9014ef8...d3.exe

windows7-x64

8

28f9014ef8...d3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe

  • Size

    53KB

  • MD5

    11b8817a1db9277f0052a62660ec600e

  • SHA1

    b0e4bd9a440ea87618bfd0f759f17ec0c6b9701e

  • SHA256

    28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3

  • SHA512

    61cfe18d95dbac2eb90cf1cddb72ac504e5acb4c6a00d59450b438c1509bd31979f12b2415a919e254d7007c26fc31183bc56ab59583d5c1d3a88ee95d53a1d7

  • SSDEEP

    1536:PhUaYzMXqtGNttyUn01Q78a4RgphWNFaWp:PhUaY46tGNttyJQ7KR0WDzp

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe
        "C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1164
            • C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe
              "C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"
              4⤵
              • Executes dropped EXE
              PID:2136
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1780
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3376
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4884
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4652
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:5112

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ebb1acf3749aab2799316e438dfdbdf4

            SHA1

            704fe023ab74891eeff0ba9779303aff0b0da5aa

            SHA256

            2f7d16cda5245419705eeff7f92014c5d80e91d8a2d04beff74d79f832f7e77f

            SHA512

            ff93751e380f95501d316a68f459a42e116d3ca10a1d609f4f48ca679e5b9c820021ab2c1869a8d13c5a47a291a3f81e6e22966f41ed55f0f4d64a65902bacb4

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            ee6d14491d3255f801199b612664b479

            SHA1

            b56d2b1b62695a40ac4251977b32a3fc24decb3f

            SHA256

            d02d67be4e0fcfe6447e2b256b1866b0a976400bf7a5fb610bda2dc617ef7179

            SHA512

            d73530d0ec59f83068f5b5f7ecc2a2f7551d19e69bc5a5d938ee62957ea1baceb181bccee81cbd802a85e9ba1d0aba037da6dd96710691c7f387e0c59524f73c

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            c68e034d324260384602839c6e3295de

            SHA1

            add6ebe18274a2afd7756fcb2b5be590125eff7f

            SHA256

            8317babad7376315f76f48454d7f4057d60f2a13f0e469a7c877473b220af74f

            SHA512

            7c956a76088bae2a425fc13f8484027ae04bc9995b7ca85a92125801e0676ff660c2a1fcb4640424883455bc10a84d39788032d884e7b64178693b1a2a0885cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat
            Filesize

            722B

            MD5

            abac0749d0142cdfa441f76ef9193e6d

            SHA1

            d870af6dd7a9d8e928f9b183d673ed6a212d891f

            SHA256

            38a05c8a1e6008f4b487993346476f7072a89060e8523b8509ce49a2e3827a3b

            SHA512

            4934d8bdf73c3cfe5b242da5113de6b024c7ea7bd58df441e20f693a5269ecd7e75d179faaac22e0aec571d84e5bb0b2e45b23fd43c9d03f0e9238f972adce7b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe.exe
            Filesize

            19KB

            MD5

            d7acce9a9cc1c75c377dad3c79eba7ff

            SHA1

            9c1a0eb12e8cac44ecbde6dac2d6e4852e21e0b3

            SHA256

            0e4d0729fac0a78ae1fef66333e70fdce7c643ed84dd9033ab022111c61fd5a4

            SHA512

            10716d1fdf3467348476130fb4a118c0cbf2064397bd53f1e0c709c0463693f06d2d1ab070eb85fb87bccb4cb06d213c3c0cd25ebd1635e61dc7a6ea043e4447

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            b889976a7791068af99766aca8f357d8

            SHA1

            146247c065098fb7f98f6cc1094825486b77d65c

            SHA256

            2d86f486401387ff3dcf30a8ffca900063a26c269b2e44bc1b925cbfafc30e92

            SHA512

            bad98a62f1e63adf7fef79f14ea027179ad4255a862f30114918046d14c89256cd2f5dcc3044941ecde471d9ede8d18a4ee040ca300cd1a9b9243aabbeee9558

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini
            Filesize

            9B

            MD5

            e850d9ceb7ebcc619d731dc2f1377b2b

            SHA1

            a45553c9057075c02e28f90d5e8ea57a0dddbacc

            SHA256

            b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

            SHA512

            be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

            Download Submit

          • memory/760-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/760-11-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1780-12-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1780-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1780-2526-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1780-8662-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download