Overview

overview

7

Static

static

3

90efe5fad6...88.exe

windows7-x64

7

90efe5fad6...88.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90efe5fad6a27843ae80b15ca8061186e5148a451c2baa81d5b8e1e9b3e33e88.exe

  • Size

    47KB

  • MD5

    e56415910c7e03b222c7846fb3a6e5f4

  • SHA1

    eb64cafd437f67df714ebd9156fa7ee382e7f004

  • SHA256

    90efe5fad6a27843ae80b15ca8061186e5148a451c2baa81d5b8e1e9b3e33e88

  • SHA512

    3233335136bc6649977b9b7ffc0e441c2ce7c39e45348924b99c6b250c1c4e47506338d4295ca2fd3e9f39e5fc61ed6acba54d3f39d112eff21301cc4a9fb180

  • SSDEEP

    768:61m3pQFJFKZj1PVs9Ag1vzu4OQZce0Ote9Q77Q6WFelKpaoWQ3655Kv1X/qY1MSd:6Bcx1aeg1v9OQZVUKM6+kKpzHqaNrFd

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3384
      • C:\Users\Admin\AppData\Local\Temp\90efe5fad6a27843ae80b15ca8061186e5148a451c2baa81d5b8e1e9b3e33e88.exe
        "C:\Users\Admin\AppData\Local\Temp\90efe5fad6a27843ae80b15ca8061186e5148a451c2baa81d5b8e1e9b3e33e88.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:504
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2820
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6206.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3948
            • C:\Users\Admin\AppData\Local\Temp\90efe5fad6a27843ae80b15ca8061186e5148a451c2baa81d5b8e1e9b3e33e88.exe
              "C:\Users\Admin\AppData\Local\Temp\90efe5fad6a27843ae80b15ca8061186e5148a451c2baa81d5b8e1e9b3e33e88.exe"
              4⤵
              • Executes dropped EXE
              PID:4192
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2424
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1608
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5032
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:944

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            54da8c314043c118875430a03c971b26

            SHA1

            cc1e060ba4f2b3b7727d681468db5a9837a5bc96

            SHA256

            6a7e08989e5160ec705370069e95e5a37075a09d44d39152e1ed9b6358e53619

            SHA512

            e2b1c087410980ef9cecf8f79720139c071921e7e11cdb0816c169ad98d4547a4c7c4fee91fb1556294088e9426b14b98699f3eebefa83d904a72a4bc19665a5

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            a5482316b9aca05e2ff7ddaa5672fa75

            SHA1

            52bf361e8ef47273c05736450258a70876dd5d3a

            SHA256

            63bd6f4a635b25e679a8eb6928c126b6665e7eb66cf2ad39d78c67cd251805ea

            SHA512

            988b9ef9325d6df5f2ae5131e48c796f19a047618c5b60c921966fcdf1f9033cc7cd362e4901eb237753d6af182fe26082a4d4077c3bef631c0b20af6f122ada

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            2186e704236b47c2268b5e251f696330

            SHA1

            101fdc37baf83fed8f6f8b55f1594a13e5060c4f

            SHA256

            ece9f7bb3d56dff6b865be7804d66254865ca7211619d517a7cf35cabba05144

            SHA512

            f0b451724fe6aa486002e6c86951e0089f5bc6f7cca6cf3b0c9cc8fb55cec0e5ae428c5ce00774e7d71b6427261f37573ffe385cac023f213e438fc031fda806

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a6206.bat
            Filesize

            722B

            MD5

            c7b0d6ce909151bd15da0ba5d1c949bb

            SHA1

            37ec2ba300779699db0f064923a542ce34a49f7d

            SHA256

            0944758f8dfc97b33cda21d5ed8eb7f23e17c0c5f08c01f9b77adaac853c9ec1

            SHA512

            998246fef1bf24c942fd62041a3cbd22a2626b156a1df85e575f5f07e2ca3ebf0e91ab42972b9757140c181a6634c05de889654ce2326359e5ee17efd762b554

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\90efe5fad6a27843ae80b15ca8061186e5148a451c2baa81d5b8e1e9b3e33e88.exe.exe
            Filesize

            14KB

            MD5

            ad782ffac62e14e2269bf1379bccbaae

            SHA1

            9539773b550e902a35764574a2be2d05bc0d8afc

            SHA256

            1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

            SHA512

            a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            b7b3296dd00061042070807bffd52c4f

            SHA1

            4c02815f800a1536a56ab17afcd3c591625aae17

            SHA256

            fe885803ed069efd52098fd0b42aad080a8b2e80db80fb3a16d8602d89f3ad8f

            SHA512

            63f6dcf9867fdc7caa28a83afe112a1870c78a5db8610dfb5fe180ec2ca46385bcb0e3a21d3aa726c2049156bd54452206b8d6ca81ea571d29a0ab66e4c1c27b

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\_desktop.ini
            Filesize

            9B

            MD5

            1f206a052c160fd77308863abd810887

            SHA1

            3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

            SHA256

            45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

            SHA512

            bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

            Download Submit

          • memory/884-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/884-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1964-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1964-4642-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1964-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1964-8664-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download