Overview

overview

7

Static

static

3

031d9cd7c4...a9.exe

windows7-x64

7

031d9cd7c4...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    031d9cd7c4be70fe389b40e712b28337658c00e50162cb89ac90dd0deee16ba9.exe

  • Size

    93KB

  • MD5

    0c9ede513a97b2aef46d6a760bf1ce0b

  • SHA1

    eb988a2dfc6d20b0620b959c893d6c5cec2d8969

  • SHA256

    031d9cd7c4be70fe389b40e712b28337658c00e50162cb89ac90dd0deee16ba9

  • SHA512

    bc3e57c6d0ed7807678706d00eb9cb5c108c06ea8e3708f53a246760f86765e3e570434c0a067dd0ab95d5463c62349dc3325597ab3593235e8eab4a827f3cf0

  • SSDEEP

    1536:6Rcx1aeg1v9OQZVUKM6+kKpeJvJnBpwdaMIOOnToIfiV6pdQ:6Rf9lOzKM5peJvxKaCqTBfioo

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1104
      • C:\Users\Admin\AppData\Local\Temp\031d9cd7c4be70fe389b40e712b28337658c00e50162cb89ac90dd0deee16ba9.exe
        "C:\Users\Admin\AppData\Local\Temp\031d9cd7c4be70fe389b40e712b28337658c00e50162cb89ac90dd0deee16ba9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1636
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8E6.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2520
            • C:\Users\Admin\AppData\Local\Temp\031d9cd7c4be70fe389b40e712b28337658c00e50162cb89ac90dd0deee16ba9.exe
              "C:\Users\Admin\AppData\Local\Temp\031d9cd7c4be70fe389b40e712b28337658c00e50162cb89ac90dd0deee16ba9.exe"
              4⤵
              • Executes dropped EXE
              PID:2412
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1248
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2564
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2616
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2960
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2160

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            ec52a7c41d8fe6a425af4a49d3ff8692

            SHA1

            06d3654358703be938fcee47e29e38ee38702b59

            SHA256

            45b71822efada34915ef05af5fa772700dc0981a7ec84b5f3ff938fc522e2e48

            SHA512

            f3cd793d93823527a7dce92032774f0b4b8656ba5234251f27c4ff203811a54649b93c12bff4e374d3950652897b0e1c51845caea57c86593d45cc3d060b348b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a8E6.bat
            Filesize

            721B

            MD5

            d81c0c696d9bde93195a0dacb339c2f6

            SHA1

            069230fc7078a784c2c5794c31cd8758b5409727

            SHA256

            d6d5cee9222e3a0138d238a977eac361e25cc8d502531d66e78f5e63a535b2de

            SHA512

            c321164f81ee77c26e4ce2fdf91a9687dc560e9b0782e003ea748e4c55593f1adc940067bb0efd617d00adf010ac228fcbe04fd3151373a39511fec1cc4510d8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\031d9cd7c4be70fe389b40e712b28337658c00e50162cb89ac90dd0deee16ba9.exe.exe
            Filesize

            60KB

            MD5

            7b112b1fb864c90ec5b65eab21cb40b8

            SHA1

            e7b73361f722fc7cbb93ef98a8d26e34f4d49767

            SHA256

            751941b4e09898c31791efeb5f90fc7367c89831d4a98637ed505e40763e287b

            SHA512

            bf9cdeff39cc4fa48457c55ad02e3856b5b27998535aed801a469252f01e7676462332fa3f93877753e963d037472f615c1fc5fc2e996316621b4e0a180cb5f5

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            5553d3ee0be1b8b190a8cabf5ac62a7d

            SHA1

            6e05d4872a18ec838e986aaf8702941fc3ebdbed

            SHA256

            71cd5ce8ac64bb6d980085861a384c45af9ab7f69e66a1c5425b72f451bba722

            SHA512

            dca7f12e7f67945e2dfd77ad6180ad2a87d5cac7751715a7a1fb070c7573f9ff3f3911ff28ba96fc47fcb2e7459f0076d167d0dd28edd6d96b0204a4234fc452

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
            Filesize

            8B

            MD5

            378d822ce12583d0d584184af22d1d77

            SHA1

            c062ac770b028df6db676099e02f09fc2f77b171

            SHA256

            1ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7

            SHA512

            23cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397

            Download Submit

          • memory/1104-28-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1248-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1248-31-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1248-3279-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1248-4094-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2084-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2084-16-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download