Overview

overview

7

Static

static

3

5e186b691a...a9.exe

windows7-x64

7

5e186b691a...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 18:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5e186b691ae85f4ec27be7a8b02ff68a6f993b5a5bacbefd593a6351418e48a9.exe

  • Size

    58KB

  • MD5

    7be685a4660bb0e6a078304e0fea7ea5

  • SHA1

    30cb1cf148225dc942fed67f37d3e2443d71b8da

  • SHA256

    5e186b691ae85f4ec27be7a8b02ff68a6f993b5a5bacbefd593a6351418e48a9

  • SHA512

    55a8d57454f8fa7b96ba6e91f2b66d46ad5c6370d9a7ada2ac35eb675ac0e7887c19a9df226b8b13f84c22c5165ba683b74c6cf033ae000e9c93a2d81e9b30d5

  • SSDEEP

    1536:BUcx1ae9n40g4ZoeVWsHh3jF89vOnl6vAOxJ0lM:BUfZ4ZHUI4GlIAOxJV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\5e186b691ae85f4ec27be7a8b02ff68a6f993b5a5bacbefd593a6351418e48a9.exe
        "C:\Users\Admin\AppData\Local\Temp\5e186b691ae85f4ec27be7a8b02ff68a6f993b5a5bacbefd593a6351418e48a9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2052
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1DDD.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Users\Admin\AppData\Local\Temp\5e186b691ae85f4ec27be7a8b02ff68a6f993b5a5bacbefd593a6351418e48a9.exe
              "C:\Users\Admin\AppData\Local\Temp\5e186b691ae85f4ec27be7a8b02ff68a6f993b5a5bacbefd593a6351418e48a9.exe"
              4⤵
              • Executes dropped EXE
              PID:1720
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2568
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2580
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2488
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2636

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  6028470621a870e37ea49499b4044df3

                  SHA1

                  90f86d2b21cd3b2d2940c3b0066fd46680c4ff62

                  SHA256

                  8a4b651cc3b85bcec5f000ebba490795941af94b8680dd4876d35153d3242e18

                  SHA512

                  21927cbfb83b5e0b90c2baadba1bf845bee1e3a733447adedd29b143e1defadc79443661f0686a5d2549310dee27c1c3e442f3e22981d0b808436380655601a2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a1DDD.bat
                  Filesize

                  722B

                  MD5

                  d39e65978db2bc9599985b14974c0cfb

                  SHA1

                  6ff73282acc463133fcde4b6738d59323e51ab3d

                  SHA256

                  5323ddd1d502ce9461e0d99c6c9b8960c541d3415e58a962c542ed84e4956c65

                  SHA512

                  bead51d9e71aca593c885bfc5b849d567d68b7dcd2b673ace08b0fd2d23a200aa362b255db7eabd0b2668decbe5179429ed00157b64f68a077843030471a9e55

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\5e186b691ae85f4ec27be7a8b02ff68a6f993b5a5bacbefd593a6351418e48a9.exe.exe
                  Filesize

                  25KB

                  MD5

                  6ff84be315cfafbbdf36aa01af8389e7

                  SHA1

                  2c550a4059ac331f5f5c9d3f218e0f6184aa27c9

                  SHA256

                  47c67c1c88ceaee3cf1667bf956a3e11a84dea2f7c2afc634777aa5f1bf65c76

                  SHA512

                  72498b009573a9cc9b5554e61d56b68f273682bfa2e13808f4abd5b2171aa59dd4a64bd9f68a3a416cfaceacb0041df918d8a84f28a5fa7f204fc562c5b6b174

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  43356dd48a332ab8c25c4d2c7eac2f61

                  SHA1

                  8faaad2e3fb1b90d093b7bfc923cf17f2325e3f7

                  SHA256

                  15bdce335e41a396daed422b87205338b8fa4f479e68731da5bb8f6b036c97e4

                  SHA512

                  261b60bac39bdacacb435f749c7ac3cb2c760f6d771104e6bd9b242046c677f8d823de7fbd0c43a6fb0b979be4a786f13dca14b7e39bb05eddb079e03b86abdd

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  fa8bf97ffdb152205be1f3a9bd9faec3

                  SHA1

                  88a5a98b6074543e357ec7ad221eaee5e30ec82a

                  SHA256

                  08a129c008511d5fc4ee1e2ad0fad3d0b033407f74285a18c6fe956d5dc2c9cb

                  SHA512

                  ea0a63f52af441964e4a2cddede537d87f1ad78241c883cf40334801056879bb1639ae75b2d9e3cceb90471837263760fc7d6c6708819c7a73fec703ba098443

                  Download Submit

                • memory/1184-28-0x00000000024C0000-0x00000000024C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1776-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/1776-17-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2668-19-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2668-31-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2668-3306-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2668-4133-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download