Overview

overview

7

Static

static

3

dcd6eaf5ff...97.exe

windows7-x64

7

dcd6eaf5ff...97.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe

  • Size

    964KB

  • MD5

    a7c7d5a11c998f769d392d9a3478e865

  • SHA1

    48a1c04ac6c07cbfe849a2ed652086c11177bc46

  • SHA256

    dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897

  • SHA512

    a01788a62a7202d875528dc045f0f051c81b9be79291a5bdc2d41c1f6e17d66798b5dcbcd84087a5adeec34ad63b6536536f3994702de8a10f8bf54127e2c593

  • SSDEEP

    12288:OqP2RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:OqPvBpDRmi78gkPXlyo0G/jr

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe
        "C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1296
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEB0.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1056
            • C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe
              "C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2584
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2156
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2684
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2592
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2828
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2724

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            354241349b608202b5c359d6a8d31eb5

            SHA1

            4466156f6d679e8a842d211052a725fd1f30a20d

            SHA256

            7f9b735658a32a095e3381e9002bfb638b6c441cb5236c23d542c41c9800dcf2

            SHA512

            c201adc0081cbee4cbc531b09b65468769bd26f2bceb21594ba2dabe2a3aef42af726dfffe1cd37fdf7c475c24ddb46c6faac1dfe1132cb41cd99adc18640020

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            5264aab343fc1f53c29d1065346d0010

            SHA1

            db43bc0b28b4ada0c5635db50fd0b64410ab76ad

            SHA256

            d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd

            SHA512

            bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aEB0.bat
            Filesize

            721B

            MD5

            ddae70452998820b0eafcf0579403be3

            SHA1

            f38a5e9e729e9617acd76f2dc0b90f305b160d94

            SHA256

            e6618e647ed486215351ab09822a8b6aeea568bd140418cb7f1bfe54020890e9

            SHA512

            1708cc43217b7921226b04f32e3c8c7d9b50cb79ea40dc064503f657ae9e1faea0c325560f93e93fb0f300e82b90280d8cd272120d510036d8f5a921ebba6581

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe.exe
            Filesize

            930KB

            MD5

            30ac0b832d75598fb3ec37b6f2a8c86a

            SHA1

            6f47dbfd6ff36df7ba581a4cef024da527dc3046

            SHA256

            1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

            SHA512

            505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            faf698c6bc8a6f58f9bae312ee973faf

            SHA1

            aecfda4eee59acb5be6fa476e8ea43cd746fcb88

            SHA256

            4716a1af75b8d3043d7cadc7cf8d5d5c96d74552ae00c6af3dbfe05e1dc6945e

            SHA512

            62d48ba8c4aaec7761f598b8b26fbaa529c7cbdd9e8defa58d4aebd31bf8f84f1e281937d1dc8f4495378a7d3911b11ab244b1ddfacb359421704cd4ca706a33

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
            Filesize

            8B

            MD5

            8de83b88f7ab26b8a33a1eeb970a7bc8

            SHA1

            ad3208ec0bdfacd12ad7291d0259ef41b6bfc425

            SHA256

            499baf65b91c9fff00cab334a4d8ab59d253993f173da5c33ff01ea4afc217fe

            SHA512

            9272af088cc70ebeb388cefda678d35e649433d3a6c5715f3537e2832b3fead9568d58a026c36ab711fdef87597419e8be80a5d809530a933f72328c413a5d7e

            Download Submit

          • memory/1208-28-0x0000000002D80000-0x0000000002D81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2156-31-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2156-18-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2156-3318-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2156-4140-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2292-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2292-17-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download