Overview

overview

7

Static

static

3

2ed4f28617...2d.exe

windows7-x64

7

2ed4f28617...2d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    156s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ed4f286176b758828fa329abf331c7ebb2be5e3a795354ddb9411505733002d.exe

  • Size

    679KB

  • MD5

    a09c7a50107d715c27a7402842583000

  • SHA1

    57137b67518fc5cf4852d67a0b1f35f38b8fac11

  • SHA256

    2ed4f286176b758828fa329abf331c7ebb2be5e3a795354ddb9411505733002d

  • SHA512

    67e2434b15bd07add47f00953602832a64fd7efb8fa2c10b13ab66b49e6f9228bfe354257c5206b83ce02735e42958cab78728858cefce5929e1c798a5c7c905

  • SSDEEP

    12288:PqP+dCCY8iLpstMzcsP3v13lRoZXWyRqns/V0ODGzr6j:PqP+dCCY8iLJ1AlWGqs/V0ODd

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3332
      • C:\Users\Admin\AppData\Local\Temp\2ed4f286176b758828fa329abf331c7ebb2be5e3a795354ddb9411505733002d.exe
        "C:\Users\Admin\AppData\Local\Temp\2ed4f286176b758828fa329abf331c7ebb2be5e3a795354ddb9411505733002d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D62.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3628
            • C:\Users\Admin\AppData\Local\Temp\2ed4f286176b758828fa329abf331c7ebb2be5e3a795354ddb9411505733002d.exe
              "C:\Users\Admin\AppData\Local\Temp\2ed4f286176b758828fa329abf331c7ebb2be5e3a795354ddb9411505733002d.exe"
              4⤵
              • Executes dropped EXE
              PID:212
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4268
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:748
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4736
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2980
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3136
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1100

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              258KB

              MD5

              2acb72abe029ea0f8b63f8cb07936758

              SHA1

              4011365098ce38d0be92ae0a06077f8fdaa66bd2

              SHA256

              ca16328c99916601a5446d2dddbfb299a823b42e75271a8853032068d43554da

              SHA512

              3c9c919614d28e6dcb8f1de366953bf083aa29a5a32d784dc52e4a7bdcf11e52edb160c0ee3214f311a4dd9581d68555419eb11a00b5762eeaec4df24a64604d

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              577KB

              MD5

              270de10114c32e8d0e40e7a2fec6c91a

              SHA1

              5fc112d29ff7fe1f1b128cadd346ff004b90976f

              SHA256

              3eb22e81769a2aac9078d54d30aae9819ade35e3d07a6bf309f4d93f8e9ab4b7

              SHA512

              20b6deb47955c573c551f4633578306d6a6487c4775dc7db6de2128afbb2977c21c5df95e1c628144c240326c97738952e6f19d04be379a3cca12ff1c37e8f9b

              Download Submit

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
              Filesize

              488KB

              MD5

              97c225a6076098457011512e3a98608e

              SHA1

              7acea60aaf36af0706e86969c48cab55873e0f87

              SHA256

              d51354447034e0374f2596da08118c1ffc638945cca8bbf623f8a9ef1fbd3440

              SHA512

              37b7e78ad8bfa72ed9eb380f8776007e525fabb44f07636993c30814a9076de673563437d942d4e31eaff9bf1092190343c0d8ff112ad630b3e3727f8a0ed90f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a3D62.bat
              Filesize

              722B

              MD5

              1f2ae541a0a084d508eda7b7b9ed9cf0

              SHA1

              4ce563e90c3679e02f1551acd8ffdf51f0087938

              SHA256

              e8849f152d714c23314c3b815ae5c5e8531120a1ce4c18687f20e6c8516e2053

              SHA512

              a0f75dab3c1b49913ebb919983d6c7e65c5c260ef2239bd08218a6e6e5d391c8d95fd1ca97cb7b9ffe5338cc1badca4246a879715442063c653d14edacfd2962

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\2ed4f286176b758828fa329abf331c7ebb2be5e3a795354ddb9411505733002d.exe.exe
              Filesize

              645KB

              MD5

              a6e0d27af296c251d4f0c62d018d5da5

              SHA1

              a86242b075a876fa695610778014a6add2bf500a

              SHA256

              800c58c08323386fa03d9ea6235d6b49c65af94a59091fc68ea2410a1d6d9598

              SHA512

              d6ab0bbf87859ed2cafb6093a75e111bb4bcd7babc44fe5a89f4ffb241338eb66a34d96fd77717cbcfe1c76aa5b2a6938f238487798d44d3c67f8d99ec8727ea

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              12a0e17b9cf29b4fab8500f5e3e87a7b

              SHA1

              08107884477fa3e9ec065334cfa64c424f47d919

              SHA256

              0cbf2b30b759babbdd5dfc9f7a62b88557b9fcd43caefa1d9cf1d69cfc38bb92

              SHA512

              6564d542284cb4b805d89008dd9f4096eebd87c1e99e43ab24f8d808405ee96df889753d8522cc61695e9f730f31133912e35590536237c685c3046be5669449

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
              Filesize

              8B

              MD5

              a6f28952c332969f9e6d9f7d1a449737

              SHA1

              31c0826adb63cc03162fb9e88781f4b50da8f11b

              SHA256

              d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208

              SHA512

              8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

              Download Submit

            • memory/4268-731-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4268-255-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4268-2402-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4268-18-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4268-4990-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4268-10-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4268-8771-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4268-8817-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4440-8-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4440-0-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download