Overview

overview

7

Static

static

3

1d4be60d5a...0a.exe

windows7-x64

7

1d4be60d5a...0a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe

  • Size

    99KB

  • MD5

    f01763aab0b11e87bbdb86cc5a8e6d4c

  • SHA1

    a724eb296ea9d3e1c0132b789c3af8a3aede8fb2

  • SHA256

    1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a

  • SHA512

    eb769d11cd6345143d1b766ba3d3311a6d02c962c307af6efe1761335ce9862bc7f4adb5ba8816b161c6e5d36b9e837287938a5b0ca4db3966c5db22f7940c94

  • SSDEEP

    1536:Hje+Zk7qzUJBeLkbiT29dXkyapmebn4ddJZeY86iLflLJYEIs67rxo:Hje+aezUDbHXlLK4ddJMY86ipmns6S

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
        "C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1268
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11FB.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2380
            • C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
              "C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe"
              4⤵
              • Executes dropped EXE
              PID:2676
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1212
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2660
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2860
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2568
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2724

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            484KB

            MD5

            7b714d463f7db900d5b6e757778a8ab8

            SHA1

            2cfc0e9f54236af8e10b0bfa551d87a20982b733

            SHA256

            c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97

            SHA512

            e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a11FB.bat
            Filesize

            722B

            MD5

            7fbc21286a73a9bd62dc1816ebfe90f5

            SHA1

            d1f5f28ac4699e44e32d3dcc9b7211e7a2f630ad

            SHA256

            7d1fa1bce4c145c539a3d3343fa0bb7afadda9ed4910f54f3fefb0a9f00aa665

            SHA512

            fb1248c11e3bd26af4eaf6483965c00ced713fd9a176c609a29369f216744a2053da7640a81088fd62aa9723700efadad6a16076184aeeb90f639dcba158d8e8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe.exe
            Filesize

            59KB

            MD5

            dfc18f7068913dde25742b856788d7ca

            SHA1

            cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

            SHA256

            ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

            SHA512

            d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            3119e880ce5d6d029185f7ed591e11d0

            SHA1

            3ab197daedf94e992062faa4eda18905b87c75bb

            SHA256

            b1eada5fd013195853bb65ee2b9fa55eb97840d20077d7a2fd43167800608eda

            SHA512

            18cafd3a73312811037cb0e44a578670498b09350d72febd262d62528094b9ba738357ef861bb9cb7704097b9c930b9aa38ee5823520e22cf71d4ebb453bf4d7

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
            Filesize

            8B

            MD5

            5db3a6182cd872eaab6e2e7df1096b6c

            SHA1

            3e324dd00c5b4aa1e4bc5176310a642cefbc8c2a

            SHA256

            734417b13fb0508f286fe107625febab857319f967d8c512786c7a45f8c575bf

            SHA512

            2216f82eee3214ae8bcca36317dada5873b818cd0fb23ebab360998fe0a1d1108172a7ea274bd56606f632cea033f347c0913dff9f0538e99edb4641c92d8149

            Download Submit

          • memory/1212-31-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1212-3318-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1212-4123-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1260-28-0x00000000025C0000-0x00000000025C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1660-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1660-16-0x0000000000440000-0x000000000047D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1660-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1660-14-0x0000000000440000-0x000000000047D000-memory.dmp

            Filesize

            244KB

            Download