Overview

overview

7

Static

static

3

891e1ac73e...03.exe

windows7-x64

7

891e1ac73e...03.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03.exe

  • Size

    583KB

  • MD5

    775aa132a2f9d2524f873ed7fc38d889

  • SHA1

    7ed85e5d29669649d64a2879c82e621d1f8187fe

  • SHA256

    891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03

  • SHA512

    bb026061346a9c594330ef0b00391d229b90ec9336659a0d4e4ab03e7b0794b07625a5bb91faef3851031e6bdf028f11d5af64b4d68eab38059227523d037739

  • SSDEEP

    6144:4/KW+aezDE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0G:bW+aB7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3376
      • C:\Users\Admin\AppData\Local\Temp\891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03.exe
        "C:\Users\Admin\AppData\Local\Temp\891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4436
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD978.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4628
            • C:\Users\Admin\AppData\Local\Temp\891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03.exe
              "C:\Users\Admin\AppData\Local\Temp\891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03.exe"
              4⤵
              • Executes dropped EXE
              PID:4364
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1348
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4640
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3764
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3928
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3176
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3824 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1432

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              583KB

              MD5

              775aa132a2f9d2524f873ed7fc38d889

              SHA1

              7ed85e5d29669649d64a2879c82e621d1f8187fe

              SHA256

              891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03

              SHA512

              bb026061346a9c594330ef0b00391d229b90ec9336659a0d4e4ab03e7b0794b07625a5bb91faef3851031e6bdf028f11d5af64b4d68eab38059227523d037739

              Download Submit

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
              Filesize

              494KB

              MD5

              c9c65754fa9b55c9655572aa636e11af

              SHA1

              d669db0f098c8e1ca09bab41b4147496a44e4894

              SHA256

              76dafaabeecdb88e13ce8e94e0b2cc77a1109f6b1c12a22c7bce9a449564268c

              SHA512

              95932b1ac044f434fb383be7687669bef598035f83261d3b3f0603aa142c22ff00a63c439a293ac9ed656384ce542d4250086bf8bab0f0dd568964ab40efb53a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$aD978.bat
              Filesize

              722B

              MD5

              7a93ca8cb0747c6b1f734542eb22ebd7

              SHA1

              5e559270fffc3bad287a2b791822edde55fd7241

              SHA256

              011a64dc9421305e294668de8f5df937d64dce10558d20826e2a98afd113b812

              SHA512

              877937aaea7f558f4145fa00b329e6d98df5e8e5bebfb3a66cb45fb25792fe0b33ec5cf606821d8a0a4bea985e9b256e380d351fb2a563c4c5442de92f92294f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\891e1ac73e4f982e2a849be5fc2d7a4eb99332284fda880fac3dedbe81236f03.exe.exe
              Filesize

              544KB

              MD5

              9a1dd1d96481d61934dcc2d568971d06

              SHA1

              f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

              SHA256

              8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

              SHA512

              7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              39KB

              MD5

              9ac3cc4a6e069b5fb8c4abe11939c49f

              SHA1

              993756ae5557a8c19e134408cd8d354ee43d8148

              SHA256

              528ce1912359d5ef6d29f809faa2520237265fabb82e29d5b1d2a7f1009461b5

              SHA512

              b54a6bcd9fe91f7ec497dec2587d785a579bcc0621194bdbfba53ec1127d63e79d5a72c31d7d3eb9aea9eb474f3d4f25bf23084ec33bbd4eee99f59f39def2d6

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
              Filesize

              8B

              MD5

              9bf5ad0e8bbf0ba1630c244358e5c6dd

              SHA1

              25918532222a7063195beeb76980b6ec9e59e19a

              SHA256

              551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

              SHA512

              7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

              Download Submit

            • memory/1348-161-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1348-18-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1348-8-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1348-1628-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1348-2394-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1348-5492-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1348-8546-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1348-8824-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4436-11-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4436-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download