Overview

overview

8

Static

static

3

e01452fae0...db.exe

windows7-x64

8

e01452fae0...db.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe

  • Size

    105KB

  • MD5

    9ff813299d25a30883c0697996beaca0

  • SHA1

    44ff3dc76d72b4eabac961492308b0befd89f878

  • SHA256

    e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db

  • SHA512

    e593a2dbf8fa78814634a72e515a0822675bc558c9d7b135906c1b0fdf53b38b9dcfff80434d7b85f98bde1ee42e679a268e8225be6f54bef00a0044d383872c

  • SSDEEP

    3072:JjaY46tGNFC0VFu2NQKPWDyDRepJltZrpRSfHe:/46tGfC0jhNSDyDRothpQG

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe
        "C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4288
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4420
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A0B.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3316
            • C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe
              "C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe"
              4⤵
              • Executes dropped EXE
              PID:3460
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1592
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4020
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1864
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1672
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:956

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            abebaf128d6bdb9fde2b1f0e33f1940d

            SHA1

            173fb9534043dca8d7b00cd16e140bea31e380c4

            SHA256

            e8db4f222623580956eaa3cecb1aff5bcd019e9a004c3fe05f0feb696580c44e

            SHA512

            6d73721e41950c1d3473bfe154ce33ed2b52034ec9c56608e84f00323db7860930dfba52613a5a8f02644a112891e3d8e615c705647719b70316ea8dd226be92

            Download Submit

          • C:\Program Files\OutProtect.exe
            Filesize

            607KB

            MD5

            5ecea8b75f4e03255baeaffde6290a16

            SHA1

            84bf465e83713defc4e3065f5e7e2d04f01aa968

            SHA256

            1f100c5ab17e016b964245e143171a1109adb7ffa4e05724fee0f4654d34773c

            SHA512

            4704b04833d7f84f5e6e01cbcb70859fd07cb85dc8998af20aeacc30ed7bd654df2dfaac44ea21900775dff1cc634da2f4027d09ebf894abbab681cfbf65fda5

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            0eec0543603f7a8ce8e8f5fee478e1d2

            SHA1

            f975d2b0358d8f138bdbaa04e433d85297f29c2f

            SHA256

            636c1c024e59354f13d9bb02fa8f3849112c4557ab790a37146b1c121e597b24

            SHA512

            cbcd9919c79180c43d588c27107dd04c04378da47df03cb27f072ee296e9c23a7690e3196b457dda14bcac96a38617f597c83a47a813a58c813f3affbd6a2a05

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3A0B.bat
            Filesize

            722B

            MD5

            7a14e7affbc4d3e58754a2fc1c94ee9b

            SHA1

            3ac76aff3ef0a59d00f5f21d5174a43bab106c2f

            SHA256

            d55d0302b7a0f5d1154dc7992540f693a30c3f46e2479555c20f5b18a7abbf32

            SHA512

            9ae3b4dccc45951868c9608be13bc0adfecc6f23e9ab05ec58f39d0fda0d02bec1c153716c826e51cbd01a0f2a1b0de711283fd340425100a805a02dd47d2b84

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe.exe
            Filesize

            71KB

            MD5

            423adb5b09778f505593929d89d3fd8c

            SHA1

            ba688ed370a2dbba0589fc7bcebf726111910189

            SHA256

            99cec7888af203c8997fc4e9a3b2a5b974540fe0e70f161c1b6b025309f12607

            SHA512

            406452e7891f8b4307465ee83edb925c76a1649bb405878cfb1d8e971c470569163f1493922b25a44f71b788f0ff1971485eafe47d982752d3974426032edd51

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            55b45e3d9494b95a16c60dfc44599db6

            SHA1

            66ec47cfced6ff77e8a5bba352f48ad6f7e78d7b

            SHA256

            3e4b59e3d964fb8e6f36415ef5acbb9d24638945c0ee0ed4624e34e3fd766449

            SHA512

            416fa491918b8e071b0d6d4bfe6c83de520a6543720f9fc072e22c0ffe4a1c82ece856f4961e111b04365ff3e70ae834e9b39b0a9825686b78b5102a1c70933f

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini
            Filesize

            8B

            MD5

            9bf5ad0e8bbf0ba1630c244358e5c6dd

            SHA1

            25918532222a7063195beeb76980b6ec9e59e19a

            SHA256

            551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

            SHA512

            7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

            Download Submit

          • memory/1592-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1592-13-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1592-5179-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1592-8665-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3756-10-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3756-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download