Overview

overview

7

Static

static

3

77436a14e1...7f.exe

windows7-x64

7

77436a14e1...7f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 18:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    77436a14e111b387338e9b18ec78583c7b414a2e132ffba08834c3f8ce18b57f.exe

  • Size

    163KB

  • MD5

    314b06fbe3a39e2a4740038f8c2579d7

  • SHA1

    92a2499a964d50156d9fe6f94994acf235f7ac52

  • SHA256

    77436a14e111b387338e9b18ec78583c7b414a2e132ffba08834c3f8ce18b57f

  • SHA512

    4e458c3e52eb13668f89ab0089d83e2fa877e40cde6bf089aa2a9a2421e28f7d54a800a613e5e34ebcfcdd23b4ad1d4c07c5231b03661f38b7abe97cf370339d

  • SSDEEP

    3072:6yf9lOzKM5pZQekqnwLD9m0WjfuRRfEdj4E3f90bC:V1NM5pZQek9if1Vv+W

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\77436a14e111b387338e9b18ec78583c7b414a2e132ffba08834c3f8ce18b57f.exe
        "C:\Users\Admin\AppData\Local\Temp\77436a14e111b387338e9b18ec78583c7b414a2e132ffba08834c3f8ce18b57f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3063.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2072
            • C:\Users\Admin\AppData\Local\Temp\77436a14e111b387338e9b18ec78583c7b414a2e132ffba08834c3f8ce18b57f.exe
              "C:\Users\Admin\AppData\Local\Temp\77436a14e111b387338e9b18ec78583c7b414a2e132ffba08834c3f8ce18b57f.exe"
              4⤵
              • Executes dropped EXE
              PID:2660
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2852
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2744
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2388
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2680

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  ec52a7c41d8fe6a425af4a49d3ff8692

                  SHA1

                  06d3654358703be938fcee47e29e38ee38702b59

                  SHA256

                  45b71822efada34915ef05af5fa772700dc0981a7ec84b5f3ff938fc522e2e48

                  SHA512

                  f3cd793d93823527a7dce92032774f0b4b8656ba5234251f27c4ff203811a54649b93c12bff4e374d3950652897b0e1c51845caea57c86593d45cc3d060b348b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a3063.bat
                  Filesize

                  722B

                  MD5

                  94613ac88b676b9fa868cf02a3de71a0

                  SHA1

                  30a91f4ac4581a17c14102c7defa37509f73bba3

                  SHA256

                  a5718240f375c1286cf1ca26777dd91b847b92a03652b8be5307213dab309e6d

                  SHA512

                  0c8a087dbcacf128f94622ae2218d3dea427a8071ee9825a192a1fa4948b2fe33b87cb329d1e41446a24e5ef8c85da5c87adbfb01af650dea6dad12674729331

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\77436a14e111b387338e9b18ec78583c7b414a2e132ffba08834c3f8ce18b57f.exe.exe
                  Filesize

                  129KB

                  MD5

                  11111df26aba5a177fbd3ff2821a9e5d

                  SHA1

                  dba82329673e02dd99adbeb2d20538d10b6f484a

                  SHA256

                  25e0e882cca2fc89942924ae208abf9059fe3f8bd87a16f788f8aad1f61521df

                  SHA512

                  4d814017ce21b06208b5cd6814d40e801283a41216ea27986a88af50d2d61d23e9c54c0aafe6a8c509a94d156c59fb3dc8f46b902bcbc5acd185a712d31b2034

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  8672c18abb253393520f7fc6b18384d7

                  SHA1

                  bff7c7e6e156797ff0a6f8702c6dbbdee1f3ceaf

                  SHA256

                  d82951f2780fd4d6ea6328ae66b12c2673bc01ce0de2d7d832481e011c9cdcb8

                  SHA512

                  b9a709825bb369e77e59b181cee69a5db99e1399199b519629d0dd93fffd65d4833dd4addf464dfaefa7b8d9a41ff39fe86421927de4c1bb2048d54a51a577c8

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  378d822ce12583d0d584184af22d1d77

                  SHA1

                  c062ac770b028df6db676099e02f09fc2f77b171

                  SHA256

                  1ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7

                  SHA512

                  23cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397

                  Download Submit

                • memory/1236-27-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1740-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/1740-17-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2836-18-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2836-31-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2836-3302-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2836-4131-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download