Overview

overview

7

Static

static

3

4127b16275...f7.exe

windows7-x64

7

4127b16275...f7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4127b16275ee4e839f50a2e4a3f578809317675de92b9b0c3dc8973789efa2f7.exe

  • Size

    723KB

  • MD5

    3f9cbd3a15f0055564b779e62278060a

  • SHA1

    1ece2b03fd94f67686d1df81aa7783c47dfed7e7

  • SHA256

    4127b16275ee4e839f50a2e4a3f578809317675de92b9b0c3dc8973789efa2f7

  • SHA512

    9d68e77fb84327f5ae09150ec791827cdfd4ad8cdbbd95bd52bf9a4e9f226ef990bbaf2e739216550e982a35bbf77f35c7eb4bd58ce7d6ca9f22f29788d9368a

  • SSDEEP

    12288:bW+a7fC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:bWBrLOS2opPIXV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\4127b16275ee4e839f50a2e4a3f578809317675de92b9b0c3dc8973789efa2f7.exe
      "C:\Users\Admin\AppData\Local\Temp\4127b16275ee4e839f50a2e4a3f578809317675de92b9b0c3dc8973789efa2f7.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:628
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1719.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Users\Admin\AppData\Local\Temp\4127b16275ee4e839f50a2e4a3f578809317675de92b9b0c3dc8973789efa2f7.exe
            "C:\Users\Admin\AppData\Local\Temp\4127b16275ee4e839f50a2e4a3f578809317675de92b9b0c3dc8973789efa2f7.exe"
            4⤵
            • Executes dropped EXE
            PID:2632
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2488
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2772
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          484KB

          MD5

          edc9d968c214a944e019fad26d1a18a5

          SHA1

          28dacfbfe9840c27f5af05343af82338786b1f36

          SHA256

          b0f8dc8ea8e999b6c25e460e2f644f2ed41b2e481f57f5800de9c0c93c9ef275

          SHA512

          f381ea38921a0163ced1feb11a9748010b2bf76f8eaf66ae326e98eb5d5ff75bc4b4342b4d3acf27a5177393c5b05cf43bb007ceb1d7799498e8429c8efb86a7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a1719.bat
          Filesize

          722B

          MD5

          4d4510f44b2ac0e2389813faf0c76ef2

          SHA1

          106e94a5db2d6240f58d4e96140e987488da93a2

          SHA256

          eeb07a1a2b0d6dbe05058d151079f131a70bee1605cba7d53bf577aee23f6bdd

          SHA512

          dd0606988f7dd5d650ac67b7b9b21997d7940baea89638bfad9e782dfc846b0cdb71a41032d81ce8f161356486e345a03376ac678b4255b3c7de4c6039baa252

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\4127b16275ee4e839f50a2e4a3f578809317675de92b9b0c3dc8973789efa2f7.exe.exe
          Filesize

          684KB

          MD5

          50f289df0c19484e970849aac4e6f977

          SHA1

          3dc77c8830836ab844975eb002149b66da2e10be

          SHA256

          b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

          SHA512

          877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          39KB

          MD5

          9ac3cc4a6e069b5fb8c4abe11939c49f

          SHA1

          993756ae5557a8c19e134408cd8d354ee43d8148

          SHA256

          528ce1912359d5ef6d29f809faa2520237265fabb82e29d5b1d2a7f1009461b5

          SHA512

          b54a6bcd9fe91f7ec497dec2587d785a579bcc0621194bdbfba53ec1127d63e79d5a72c31d7d3eb9aea9eb474f3d4f25bf23084ec33bbd4eee99f59f39def2d6

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini
          Filesize

          8B

          MD5

          9bf5ad0e8bbf0ba1630c244358e5c6dd

          SHA1

          25918532222a7063195beeb76980b6ec9e59e19a

          SHA256

          551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

          SHA512

          7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

          Download Submit

        • memory/1184-30-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2756-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2756-17-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/3004-18-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/3004-33-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/3004-3344-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/3004-4175-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download