Overview

overview

7

Static

static

3

dcd6eaf5ff...97.exe

windows7-x64

7

dcd6eaf5ff...97.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 02:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe

  • Size

    964KB

  • MD5

    a7c7d5a11c998f769d392d9a3478e865

  • SHA1

    48a1c04ac6c07cbfe849a2ed652086c11177bc46

  • SHA256

    dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897

  • SHA512

    a01788a62a7202d875528dc045f0f051c81b9be79291a5bdc2d41c1f6e17d66798b5dcbcd84087a5adeec34ad63b6536536f3994702de8a10f8bf54127e2c593

  • SSDEEP

    12288:OqP2RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:OqPvBpDRmi78gkPXlyo0G/jr

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe
        "C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4352
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4960
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5A93.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe
              "C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3316
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4968
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2364
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1508
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3224
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4984

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  354241349b608202b5c359d6a8d31eb5

                  SHA1

                  4466156f6d679e8a842d211052a725fd1f30a20d

                  SHA256

                  7f9b735658a32a095e3381e9002bfb638b6c441cb5236c23d542c41c9800dcf2

                  SHA512

                  c201adc0081cbee4cbc531b09b65468769bd26f2bceb21594ba2dabe2a3aef42af726dfffe1cd37fdf7c475c24ddb46c6faac1dfe1132cb41cd99adc18640020

                  Download Submit

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  8a34d10b0351e2b81bec35c826c2cf86

                  SHA1

                  3f15aadf3e6877ee36aa69ef07e1be9678bec937

                  SHA256

                  ac0a61f3cec59f1776ea85003fefa366d4bc443b18c4bd4748e8feb89d89440a

                  SHA512

                  0332d4300c727ac2128f60985bed561e0b601df73e6b63ff953ecd132de259dda1749a1928f828cc6163a24e1b7df00bafff4e9faec9388e87dc6acc920b2bfe

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  644KB

                  MD5

                  11e0853d537d2721ecc655c1fc527e91

                  SHA1

                  c8e23d103e93073ba7c93374878ae9a9f926c944

                  SHA256

                  f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

                  SHA512

                  3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a5A93.bat
                  Filesize

                  722B

                  MD5

                  4b7d43401b643e48e734ba8778bdfe82

                  SHA1

                  6fe6d9b3242de425bbec9d010bd2dfa4fb23fa98

                  SHA256

                  a85be099c1521c96d2b85300a8054b2f62bf1ff76a257a2c74b80a886d2b6894

                  SHA512

                  ac8f3d3368f9ee97361d1a36df50d80dd28d262bf53021eaaed000f72f2eff29237e154c27415ef911674a6f4814f0a76c7ad40939b3a230183ba68ec77b6940

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\dcd6eaf5ff593cece4234e628283071c47b8260300aeaf26662f1b557c433897.exe.exe
                  Filesize

                  930KB

                  MD5

                  30ac0b832d75598fb3ec37b6f2a8c86a

                  SHA1

                  6f47dbfd6ff36df7ba581a4cef024da527dc3046

                  SHA256

                  1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

                  SHA512

                  505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  faf698c6bc8a6f58f9bae312ee973faf

                  SHA1

                  aecfda4eee59acb5be6fa476e8ea43cd746fcb88

                  SHA256

                  4716a1af75b8d3043d7cadc7cf8d5d5c96d74552ae00c6af3dbfe05e1dc6945e

                  SHA512

                  62d48ba8c4aaec7761f598b8b26fbaa529c7cbdd9e8defa58d4aebd31bf8f84f1e281937d1dc8f4495378a7d3911b11ab244b1ddfacb359421704cd4ca706a33

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  8de83b88f7ab26b8a33a1eeb970a7bc8

                  SHA1

                  ad3208ec0bdfacd12ad7291d0259ef41b6bfc425

                  SHA256

                  499baf65b91c9fff00cab334a4d8ab59d253993f173da5c33ff01ea4afc217fe

                  SHA512

                  9272af088cc70ebeb388cefda678d35e649433d3a6c5715f3537e2832b3fead9568d58a026c36ab711fdef87597419e8be80a5d809530a933f72328c413a5d7e

                  Download Submit

                • memory/2996-9-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2996-0-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/4968-10-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/4968-5164-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/4968-18-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/4968-8685-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download