Overview

overview

7

Static

static

3

65517ce5a8...b6.exe

windows7-x64

7

65517ce5a8...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 09:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe

  • Size

    279KB

  • MD5

    d5018dd648f3d30f30be13ccf753f0d5

  • SHA1

    233590dab8a65e703f31aade6908345ca98f92fb

  • SHA256

    65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6

  • SHA512

    ed6ca78340745722725634325248f461c10a558c8f728a342a1d156c01d1f734c875a1de51550385067ef5b092694cbf5bc274f6230096c5a24def55ba6a501f

  • SSDEEP

    6144:nG5KmhdFu+qQbdy5SahDbyLxoROmeOprx3v0:nP6JqQZy5SfOROj

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
        "C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2636
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aACA.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
              "C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe"
              4⤵
              • Executes dropped EXE
              PID:2792
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2404
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2788
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2544
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2308
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2508

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  8a216d268fb4892b3af2e79a279a2a23

                  SHA1

                  51916b0eeb6d61280fac7de0363254427f245762

                  SHA256

                  c7a2a1b862ba9fdf706edd930c09dd07af8fb44f3edcfe0a22b41899eebae31d

                  SHA512

                  30adf4d918017584c668d9bacf0f6263a9f47087303aaa46ca6a0c9a1e96644fb54b7110ede95819e5782ca189909ce84af8bc80c2a5c1ac21cb62f33f729e93

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  50cb47f0239e9a2044dfa0b0e6d92c14

                  SHA1

                  2b20d81a810449f5b994c3d785b6a8f7700a023f

                  SHA256

                  fa436f5c793efd8b5908c7bb003a95e126a350f3c5e51edd18ccdaf28aaba7e3

                  SHA512

                  27cdb9f9248870b1595fa8ff7f975fe225e80f43f47a6aac2867eadbad0dfea347c4ffa3bd6d52ba95d72d81cc12314b9ab9833d118b7a7bb0be707479371049

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$aACA.bat
                  Filesize

                  721B

                  MD5

                  6147735fcb03b9c24af7a717979e99ad

                  SHA1

                  5e5b147b23277d0faf869e221a1ee2f965b7d432

                  SHA256

                  cfdc56a12429b4d1dc1f0c1250c35e0b72779dbbd2bbf4e0785d391aac535397

                  SHA512

                  3807e6d5d44738d89b274f820a573886c8ecf722c6a47b2428454579171fb8df50088e9375cba79bc06f7be019c322d653dc3c81b86809877fb14439cf05ba90

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe.exe
                  Filesize

                  245KB

                  MD5

                  e84927bc7e4bef6af8daf8640d95325e

                  SHA1

                  796cfbd54995d1340e3bdd9329e6d165af8c3859

                  SHA256

                  7744d4c0da090157809e65259fb2682e8149b3fcf64a055607ab04f0cb732ea6

                  SHA512

                  dd8c9e848100b8c67f8ac5a01e76bc11843e36824d501eca797c9560b0c99a1349ede26e5da0f57a1c66c817d0caf99284dbf968e9f5df442a7c64c88dffb261

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  3905de443e3362c9a3cf7a99ec967853

                  SHA1

                  fad6b90d31da3df8c885fac5d78de93bec539fec

                  SHA256

                  4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c

                  SHA512

                  151968a824d131913cec483882b9a636aaa1202647f703b376b495e09f3ac1377aed756e85a449613a9cea4487cf9522ec2951e00ecb095e709eb55d21fe4183

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  e850d9ceb7ebcc619d731dc2f1377b2b

                  SHA1

                  a45553c9057075c02e28f90d5e8ea57a0dddbacc

                  SHA256

                  b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

                  SHA512

                  be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

                  Download Submit

                • memory/1180-28-0x0000000002E10000-0x0000000002E11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1732-0-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/1732-12-0x00000000001C0000-0x0000000000200000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/1732-18-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2404-32-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2404-3343-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2404-4174-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download