Overview

overview

7

Static

static

3

814446fb9e...8e.exe

windows7-x64

7

814446fb9e...8e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 15:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    814446fb9e1cb93b974ec91e848733bb349d66dc7cc8d9220a98eec278613c8e.exe

  • Size

    33KB

  • MD5

    696135503b001f31cb4cd7844c3e430c

  • SHA1

    92344ef238d4e3e40fc6e7172d91f58d81bb088a

  • SHA256

    814446fb9e1cb93b974ec91e848733bb349d66dc7cc8d9220a98eec278613c8e

  • SHA512

    b0fdf9962a73ce5307fa7283767cc3a6909a02d36ac0776550499c0a81e160917c3e4dd907fa83e617138013107e59dba116f90e3500c13e60f3f0340ebc65ee

  • SSDEEP

    768:mYBldh+Vxr1x5cE9Fl5pz8UOutDlMXaoSunjXWNN:/BVsrz8VuJlMXaDuiN

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3572
      • C:\Users\Admin\AppData\Local\Temp\814446fb9e1cb93b974ec91e848733bb349d66dc7cc8d9220a98eec278613c8e.exe
        "C:\Users\Admin\AppData\Local\Temp\814446fb9e1cb93b974ec91e848733bb349d66dc7cc8d9220a98eec278613c8e.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3216
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4820
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:3940

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                Filesize

                258KB

                MD5

                716cf04b905e9d25d89e76dd2b521b7a

                SHA1

                4464bc7b43656fce19a801c5a77f53027b5748fa

                SHA256

                68c254e4a94926e48dda2811138fac91afef667c3da61e3838c104fd16397f81

                SHA512

                cbebb128990ece59a3d052e5d6edfc8bacf33d74aad72f31bd6a98a91194088a5d9a460ac8000fec4cedbe019dc6bfca38912832be0e151bcd2e1f4984b4e578

                Download Submit

              • C:\Program Files\7-Zip\Uninstall.exe
                Filesize

                48KB

                MD5

                3f22fddb325a0a9243dda414bd9f2497

                SHA1

                2fdb8785724fd9312c4859b9bf908dcede4b1309

                SHA256

                0aa3a52b2cbb61c275eb990123dd78e1d1334b098adf93a919e856ff8dbe957b

                SHA512

                6c690ba78e03c1cb0ae5195a57567ba02bacf055a0043c48408fa8e89c0eb35ccfbaf5c904a6af0068ce95e6dcfb3ed661d14baa00a06b103bcf65e80e938f9f

                Download Submit

              • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                Filesize

                644KB

                MD5

                11e0853d537d2721ecc655c1fc527e91

                SHA1

                c8e23d103e93073ba7c93374878ae9a9f926c944

                SHA256

                f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

                SHA512

                3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\_desktop.ini
                Filesize

                9B

                MD5

                0e9e05c07df1bfb27555d84deb706050

                SHA1

                48ebafcf728d66a097bc66ad41b73d7a757c1a0c

                SHA256

                8f1b205bcc3039e60fbcea0063608e012fd662abb41bba5469d530e2c305174d

                SHA512

                d88c9a9bdf6f386278ba86cf3523334eeb5e9efefa9776bc92bdffa41f0c4937e64a7b5f3821b324e13372fa662aa4fb028676f7ed0a73c989edabd490bd05f5

                Download Submit

              • memory/3216-0-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3216-3-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3216-5205-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3216-8690-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download