Overview

overview

7

Static

static

3

06b195b918...e1.exe

windows7-x64

7

06b195b918...e1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06b195b9184ba7b73594976c2580f69fd7761a18904e9006dd76a950a6215ee1.exe

  • Size

    33KB

  • MD5

    0323b99a69386f583bbf4aae937b7b9b

  • SHA1

    c4c2024f4b57285e959f6709d007b9fbac8ab7c4

  • SHA256

    06b195b9184ba7b73594976c2580f69fd7761a18904e9006dd76a950a6215ee1

  • SHA512

    6055a4c8e534622d2257ec2d56c5e751b996c97347296479c2e9590a169bb5c019f03fd34757ba248fa4f337b6484c57b2ddcb08b9f49c996446ef797aef3c4e

  • SSDEEP

    768:O+bjjpQFJFKZj1PVs9Ag1vzbrqaMKJcrsu:O+becx1aeg1v2axu

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\06b195b9184ba7b73594976c2580f69fd7761a18904e9006dd76a950a6215ee1.exe
        "C:\Users\Admin\AppData\Local\Temp\06b195b9184ba7b73594976c2580f69fd7761a18904e9006dd76a950a6215ee1.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2772
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2156

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          601KB

          MD5

          fb651d34c7c21993eba3ad0dfb231bbd

          SHA1

          62352d5f48be0cade19fe8f02cb971c8b4860737

          SHA256

          e0f65ae531d1a4c854390fa44ae74f5a2a386f6329fae873e24901d81650a5b4

          SHA512

          953b11813c70c3860989134224c4d1e2b720491aea0598681c6a3a5941dd2e0f9ef8b23a9f7d53e76b6ee7bf88fa630c93c9f67d813a1488a97d27803c5ef178

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          70869c207f3a67470417ed76a8cc4735

          SHA1

          e9e84c30b2cca82e93d507eeace7b33eac862a61

          SHA256

          0de9fa997f757c78ba0675e7ba54c1e7b1a39c88cebded15b2a0ede357679428

          SHA512

          193067577ab3f4c7a7798d61b1c0d4a40ef6fabfa4ebf28709d7f226327e9f3f329ed635f83baf5b90eaeabc45df3ae68a7fa247ff0d123df3dd06eee369cfdc

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
          Filesize

          9B

          MD5

          588b2065b2adfd8dfd688104d02aad5a

          SHA1

          263f0ca294d728a13f51220aea8123aa257cc6e2

          SHA256

          f9ab49edf14c6bda17287f7caa63d3b3bb20a65215f1462cf05577a5c1c472e6

          SHA512

          99106035ac4547c81fd737f5f79ddd32ea10fde9e3ea97102472c871aa9f94ee3f68823bcc4bb308e92265a9c3cacd4b1f5c9f52f8d3e630cdf6bdcd3c737e2d

          Download Submit

        • memory/1380-3-0x0000000002B10000-0x0000000002B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2896-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2896-7-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2896-3254-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2896-4059-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download