Overview

overview

7

Static

static

3

8200b2364c...30.exe

windows7-x64

7

8200b2364c...30.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8200b2364cca2565745d4678c2fe461e93b5aa323858adfc849e4d5e1d592330.exe

  • Size

    97KB

  • MD5

    b101d637f86434f7d6485a3ffbaa4b6a

  • SHA1

    c8cf249655cd0eb7b9f08e0b037bd19546622388

  • SHA256

    8200b2364cca2565745d4678c2fe461e93b5aa323858adfc849e4d5e1d592330

  • SHA512

    04a97108f5db7ccfb65926a8ca99f95fddd7d2b9e71d7e1140d68c3f33ed0feba94c818cada233dd4560165fbfb001e78399cd952e137f3204760d58da9067eb

  • SSDEEP

    1536:/BNsrz8VuJlMXaDuiNYf88qP2CsRdxgwGGCIOunToIfiWdN:/BA8ulMXaK/f8l2CHRGgKTBfik

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\8200b2364cca2565745d4678c2fe461e93b5aa323858adfc849e4d5e1d592330.exe
        "C:\Users\Admin\AppData\Local\Temp\8200b2364cca2565745d4678c2fe461e93b5aa323858adfc849e4d5e1d592330.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3300
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D95.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3628
            • C:\Users\Admin\AppData\Local\Temp\8200b2364cca2565745d4678c2fe461e93b5aa323858adfc849e4d5e1d592330.exe
              "C:\Users\Admin\AppData\Local\Temp\8200b2364cca2565745d4678c2fe461e93b5aa323858adfc849e4d5e1d592330.exe"
              4⤵
              • Executes dropped EXE
              PID:1400
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1472
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1300
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2368
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2292

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            5d64188818f8abcb73f41c0b3c33441b

            SHA1

            30eb087973f856bdc3aca96d9b6038a55f866b2c

            SHA256

            30cf4b58ecca3bb3fe81f3829d12e56bd12143ed52b0c55f6d6a11792003278e

            SHA512

            7a807a62543517c2f637803a7d5b43af5d7df66591a195aa2f254464bfb63adf20bf4a0908fef74c1b7aff5ca0a9d0e1129e657347d3b6dd24df53e6e122c6fe

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            11e0853d537d2721ecc655c1fc527e91

            SHA1

            c8e23d103e93073ba7c93374878ae9a9f926c944

            SHA256

            f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

            SHA512

            3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3D95.bat
            Filesize

            722B

            MD5

            8e475f13752e1709f65b844cc938ee69

            SHA1

            c223c66c85185620aa3727eda4f6b1d7728e1bdc

            SHA256

            af139569ee8f0eb9b92b58ebeff4f077337fac023439ea625c9f30a1677e11d6

            SHA512

            5c4021c04ac0c40316f2ed29b7cf04f6b063593e7e8d6089f68420c688ed1bb8a8720724ea95465412a841ee47131730be712830d90de1ce4d1dd6d1a1047560

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8200b2364cca2565745d4678c2fe461e93b5aa323858adfc849e4d5e1d592330.exe.exe
            Filesize

            64KB

            MD5

            ae6ce17005c63b7e9bf15a2a21abb315

            SHA1

            9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

            SHA256

            4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

            SHA512

            c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            d208b34bbac286d49a77081b20a5c951

            SHA1

            94341f108285312afa4cd4d6458804358b88e322

            SHA256

            6d3b364072ac79af423a6fa1252424274b51e8c18a113e8f54e7d8a9413ae33a

            SHA512

            e42039b533ec80a0b591bd6a4877c8c993eefdd7323a6fbb2d58b75188f085365c8f927f7079917fa18363f505f9ec400c0536f236248ca2809941dcd408aab0

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini
            Filesize

            9B

            MD5

            03c36dbecb7f35761f80ba5fc5566da6

            SHA1

            159b7733006187467bda251a1bbb278c141dceb6

            SHA256

            85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b

            SHA512

            fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

            Download Submit

          • memory/2244-11-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2244-18-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2244-4984-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2244-8672-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4864-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4864-9-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download