Overview

overview

7

Static

static

3

da65973382...a8.exe

windows7-x64

7

da65973382...a8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 10:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    da6597338202df1353d07657160df1bdc6fb497cc313a120c130946deccf10a8.exe

  • Size

    107KB

  • MD5

    fb5ee83732a6d6163f7fbb70be1ee7f6

  • SHA1

    76543f409a219eb6c69b3be4eb30849d21829969

  • SHA256

    da6597338202df1353d07657160df1bdc6fb497cc313a120c130946deccf10a8

  • SHA512

    adf05751b0b0dd4e42a093d7ea71ae6f2451b117b8a236d64a225724eaf068407d8de351219030708b1328910eb0a735c6b27e92b9b25f4f886099f0a1edfeab

  • SSDEEP

    1536:/BFsrz8VuJlMXaDuiNtAIqneOsUJouGB1YiXlJYZhA2zOsvLZt5y0XWE:/Bo8ulMXaKkSexUJo9n1JkhIeLJmE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1168
      • C:\Users\Admin\AppData\Local\Temp\da6597338202df1353d07657160df1bdc6fb497cc313a120c130946deccf10a8.exe
        "C:\Users\Admin\AppData\Local\Temp\da6597338202df1353d07657160df1bdc6fb497cc313a120c130946deccf10a8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2584
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2BE1.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Users\Admin\AppData\Local\Temp\da6597338202df1353d07657160df1bdc6fb497cc313a120c130946deccf10a8.exe
              "C:\Users\Admin\AppData\Local\Temp\da6597338202df1353d07657160df1bdc6fb497cc313a120c130946deccf10a8.exe"
              4⤵
              • Executes dropped EXE
              PID:2668
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2840
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2504
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2472
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2548

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  02569885e9369db7f7e10caf1b50ba83

                  SHA1

                  10a6f75e80a9f81aa4c6143a31eb419ff252c667

                  SHA256

                  f9fbd769b3a8bcc2a77241fa76adb574009dd443f0ebe5913450e2e9f21d87da

                  SHA512

                  d18ea18d470cde35ac5f775b8f51d9d0bbaeea64312a30ea4ed7261174cdc3c8ac60e8f205004bcac90c937fa732851d3f5bdf5dde3417b624f1ee24e87640c3

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  5264aab343fc1f53c29d1065346d0010

                  SHA1

                  db43bc0b28b4ada0c5635db50fd0b64410ab76ad

                  SHA256

                  d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd

                  SHA512

                  bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a2BE1.bat
                  Filesize

                  722B

                  MD5

                  7c02a0c356b02159ba2f730da68f07f3

                  SHA1

                  4ff1f8ea0675bd511e011b46c1e15a17548bca0a

                  SHA256

                  11400b53804c70a17fce55591615497c55d26e7ad2f65bf971cabc30b08f185b

                  SHA512

                  3f27734e409315bc2858d5070c8262b3e05f6816ae3257d1bcfee74e8a63c6bf8f9bc732805cd4f933bc13deb74d7e8eec589c5a30c86fa92dd4e482fb391ce6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\da6597338202df1353d07657160df1bdc6fb497cc313a120c130946deccf10a8.exe.exe
                  Filesize

                  74KB

                  MD5

                  17b9c8d17a708fefb05ab4aa1fdfc042

                  SHA1

                  fe30739f0aefe686641c97bf6fbae86d2dd9b64f

                  SHA256

                  4d61edeac9ba6e464cfb0b941935f47620d95adbadba759506937aaa5f715418

                  SHA512

                  4307b139860d44eb80bf6aace37cbd576a06f7f073e245bb60e3cbe4ffb00f6c863fe5526c2a931bbe967867c7e281421f8d64f8593607e612a1c452c8ba4715

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  e88b528305eba2eaa41bd67d5be2f3e9

                  SHA1

                  46ab8f327b9ad592d6b6e2786ff0c5a5735acbfb

                  SHA256

                  8549f3ecbe5d5d917c87472123a8ffc41b19b52c94b1fbc7089a971436dfe5ae

                  SHA512

                  8437f856ced59ed9edb400139bcc5bb083164c52fd843d058d94bd40243b3314af75e3fd18380708561a00a80c7160153a40e768c493f08ea4afc102357252e7

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  e850d9ceb7ebcc619d731dc2f1377b2b

                  SHA1

                  a45553c9057075c02e28f90d5e8ea57a0dddbacc

                  SHA256

                  b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

                  SHA512

                  be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

                  Download Submit

                • memory/1168-28-0x00000000024B0000-0x00000000024B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2400-0-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2400-18-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2400-12-0x0000000000440000-0x0000000000480000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2700-20-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2700-32-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2700-3347-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2700-4173-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download