Overview

overview

7

Static

static

3

86924d4df0...ca.exe

windows7-x64

7

86924d4df0...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 01:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    86924d4df0d9b59d2e185afdcc243064a5820790d0d0ffbdcb9ef2b211be07ca.exe

  • Size

    393KB

  • MD5

    b7572df97908559132f2ce78eac1d0d5

  • SHA1

    432198f0fa87e8626b17f425c9f0650f19774190

  • SHA256

    86924d4df0d9b59d2e185afdcc243064a5820790d0d0ffbdcb9ef2b211be07ca

  • SHA512

    9a231863ac55d4f23cb0ba30d0f8fa130d4a6a7038abb845a17d176dfffa2b735d3f3093f295d72692a9ed05f142a64be0361153d3b66197033227265da633d5

  • SSDEEP

    6144:8+aX3xFuP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1a:8+axxahVy41

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\86924d4df0d9b59d2e185afdcc243064a5820790d0d0ffbdcb9ef2b211be07ca.exe
        "C:\Users\Admin\AppData\Local\Temp\86924d4df0d9b59d2e185afdcc243064a5820790d0d0ffbdcb9ef2b211be07ca.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1000
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4333.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4304
            • C:\Users\Admin\AppData\Local\Temp\86924d4df0d9b59d2e185afdcc243064a5820790d0d0ffbdcb9ef2b211be07ca.exe
              "C:\Users\Admin\AppData\Local\Temp\86924d4df0d9b59d2e185afdcc243064a5820790d0d0ffbdcb9ef2b211be07ca.exe"
              4⤵
              • Executes dropped EXE
              PID:3568
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4588
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4176
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4596
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4684
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3492

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  c0bf6ad3b8d0941be202b2fc15d116d8

                  SHA1

                  2bc2bc6b1dd2fde659461a014636455fcb4c5549

                  SHA256

                  7a128dd18d2e63fb6750645c34dbde898054a6b567d70e117b0c9495f1a7b1b7

                  SHA512

                  8786fbb9d1b840ac0b9e652e8e48f5ac5de84f479553928fe1b2816c285f873cbe721d68e1efc88175a4bf6e444c25db694977a317e3d11f98140d4a5c2e5621

                  Download Submit

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  1f26d138707508a761645740d8c60ef8

                  SHA1

                  eb3699e294414c71f9476c5cc8e427d174600a69

                  SHA256

                  15f7dc4ae85f296a2c00266eea952cdfa8d3abc4d86117284856ebb229d1498c

                  SHA512

                  181900cb340c70e8335ddddf07d4735546ca1219e2aef60a5517326d330ad20035b7d818a3ebbffb28a0a15a31d90877cb7335537a7b2a93c917267e6646696a

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  643KB

                  MD5

                  b56ccceae467b8d0456467cfe96693f3

                  SHA1

                  35e9f02f4715f52201540996216ab6477a7c6047

                  SHA256

                  eab370b369e20231610d338e35723a26e1959c59ef57e4251b4ee88c2978316e

                  SHA512

                  ebfc8a879dc5cbd361ce0e058a4b7282602d6655281e632abcd56b92512231111b0f7d8747678d443472a8f344a64cbe84937374a8371a219fab0c5bb0ab0f33

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a4333.bat
                  Filesize

                  722B

                  MD5

                  615ce8d2cde4a502f49e535f364b4d78

                  SHA1

                  48181cb4205a4436797f736eed790c6e6d5f9d26

                  SHA256

                  f94598bff138afc6abd32de3fb3539b0a906c89028c063b7631e47b8b11e64c5

                  SHA512

                  024682ed87902103646567044d9e1587d7974ba5e81b934f660c2eb1f8b4546b2fe4db4f013083dee12e7e01a8fedd3fce144530557330958f12a231b6ae4e09

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\86924d4df0d9b59d2e185afdcc243064a5820790d0d0ffbdcb9ef2b211be07ca.exe.exe
                  Filesize

                  360KB

                  MD5

                  5fbd45261a2de3bb42f489e825a9a935

                  SHA1

                  ff388f6e9efe651ec62c4152c1739783e7899293

                  SHA256

                  9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

                  SHA512

                  7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  0b18f5b409f556bed8c59f0882e1bf6b

                  SHA1

                  5f6bf5cc38e1c19dfd42100168cfec1051036e75

                  SHA256

                  39cf09653e9107fa585cc8e8ac240f7ec179e4b9ca78d9b04e79ecc5524de87b

                  SHA512

                  0b7721a55f99d1f216d6b708eb251b9a9a2c92da7c864c8240c01d7214b98012ee7f23028d1bdc5b71213229165ed5dc5d3a86e56fe36e2ab37540fa44a79365

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-4204450073-1267028356-951339405-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  1f206a052c160fd77308863abd810887

                  SHA1

                  3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

                  SHA256

                  45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

                  SHA512

                  bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

                  Download Submit

                • memory/4588-11-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4588-18-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4588-5389-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4588-8875-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4704-0-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4704-10-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download