Overview

overview

7

Static

static

3

1bff67d6ab...16.exe

windows7-x64

7

1bff67d6ab...16.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bff67d6ab5be86d5d96c23758311476edd262290e17bbed62075bf3b285ac16.exe

  • Size

    761KB

  • MD5

    f42e7b13699eaf8213a66b2500b644f3

  • SHA1

    526af9badb305f4e00f00d5c4d7fcad843be9601

  • SHA256

    1bff67d6ab5be86d5d96c23758311476edd262290e17bbed62075bf3b285ac16

  • SHA512

    c36f23d140226c75f9f28c9c0eb6b1bc5613d884ceec7d732427424dd3a373287f40f59cf48753d5474515eb79f5cef9f196552e41722b6eeeb31ff13efa6ece

  • SSDEEP

    12288:lPtGboup+VHKBX3jbgS/Wg0MIn7ou8XBKsHKZycUQUfXJvA:lPt2kHKlzcS/0MInsu8uZycUfvA

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\1bff67d6ab5be86d5d96c23758311476edd262290e17bbed62075bf3b285ac16.exe
        "C:\Users\Admin\AppData\Local\Temp\1bff67d6ab5be86d5d96c23758311476edd262290e17bbed62075bf3b285ac16.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2172
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2137.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1224
            • C:\Users\Admin\AppData\Local\Temp\1bff67d6ab5be86d5d96c23758311476edd262290e17bbed62075bf3b285ac16.exe
              "C:\Users\Admin\AppData\Local\Temp\1bff67d6ab5be86d5d96c23758311476edd262290e17bbed62075bf3b285ac16.exe"
              4⤵
              • Executes dropped EXE
              PID:2560
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2704
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2736
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2756
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2468

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            a250aa2897bf08c76a4de6de8562286e

            SHA1

            2dfca956f87c670477e8b3d31bd0664018ca0219

            SHA256

            65b18c4626b691c78ebd76f4f497f4f54e0dfde43371102719087cbda44e1c69

            SHA512

            004dca009b53b4b3040fbb84eff848b984fc94ae377c316bfaefe47c648ef826e346202088c656482ee63e6ef3f470896dc577fe4a62e2bec2e2d46fd5d9d5fc

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            5264aab343fc1f53c29d1065346d0010

            SHA1

            db43bc0b28b4ada0c5635db50fd0b64410ab76ad

            SHA256

            d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd

            SHA512

            bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a2137.bat
            Filesize

            722B

            MD5

            bde39a0ff1df7e231e1fd7b43cfb3f6b

            SHA1

            4017775e2c93e588b041d237fc6d8ac35a62db09

            SHA256

            1db80dfea3fd75832437ff7cce2a5f056d97d5e003e4bc64497c8881fa187f90

            SHA512

            09b6ab022ec624f5484cda864af04cd7ed6ae7d9934838ddc83dcc8f1c1a52dc0090af3a8e8123f37509ce0ec254d123a42afafef92e621c860a6a3b7df5d759

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1bff67d6ab5be86d5d96c23758311476edd262290e17bbed62075bf3b285ac16.exe.exe
            Filesize

            728KB

            MD5

            23e2fc0497edd8195bcae45a1389bf85

            SHA1

            28d2f99739a49cb707f9348cd3195e234c853b1e

            SHA256

            92d70a8fc07cee881009026759a8aaa5debfb64069038f610988719ed3630107

            SHA512

            5ae4c17363aa70cd17532fcf76bdff86d2634956f6e0483e88a14b22ce3e6dd01ad233943409302ab3a858d9d9eddb1a5d6d376f48908b64ed655554abfb2b4c

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            90ec7c50aec83a0f7624ef99fbf56efd

            SHA1

            c27225e22d2b67947763a6807ad30315ca37c7ff

            SHA256

            92980a159169e0859fbea14aeece4d664bd6b190ddae4e0433bb9329a428d3c9

            SHA512

            f916293e2bb72eef430c11bd0567fb656e217147e8069f1ef7a4f3cd5d6b25b52992126ddd88ad6b8dbbc57be1b2ab06892897277f81b03ca34056747d2be96d

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
            Filesize

            8B

            MD5

            5db3a6182cd872eaab6e2e7df1096b6c

            SHA1

            3e324dd00c5b4aa1e4bc5176310a642cefbc8c2a

            SHA256

            734417b13fb0508f286fe107625febab857319f967d8c512786c7a45f8c575bf

            SHA512

            2216f82eee3214ae8bcca36317dada5873b818cd0fb23ebab360998fe0a1d1108172a7ea274bd56606f632cea033f347c0913dff9f0538e99edb4641c92d8149

            Download Submit

          • memory/1204-29-0x0000000002E90000-0x0000000002E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2344-12-0x00000000002E0000-0x0000000000320000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2344-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2344-18-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2620-33-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2620-19-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2620-3320-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2620-4145-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download