Overview

overview

7

Static

static

3

5dfa6493d9...2c.exe

windows7-x64

7

5dfa6493d9...2c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dfa6493d9527f086cd8ce55daa5e9dbc98dd0909a1accd25db2764c58fb0c2c.exe

  • Size

    394KB

  • MD5

    bd02d506ced5a2d426ed2ec4cbdba431

  • SHA1

    ffad8deb84486101c55ba01754def8aa75620235

  • SHA256

    5dfa6493d9527f086cd8ce55daa5e9dbc98dd0909a1accd25db2764c58fb0c2c

  • SHA512

    6aaad2bfafccf27a44ccd235e16547f10c7720649860fe245f2db5c00fcd7f321cb4f5a62d6dca6aa7a704d8e6927b2ac4b20be937f61e744e38f82db3e78c23

  • SSDEEP

    6144:dG5KtP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moH2:dPmahVy41

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\5dfa6493d9527f086cd8ce55daa5e9dbc98dd0909a1accd25db2764c58fb0c2c.exe
        "C:\Users\Admin\AppData\Local\Temp\5dfa6493d9527f086cd8ce55daa5e9dbc98dd0909a1accd25db2764c58fb0c2c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1044
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a22EC.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Users\Admin\AppData\Local\Temp\5dfa6493d9527f086cd8ce55daa5e9dbc98dd0909a1accd25db2764c58fb0c2c.exe
              "C:\Users\Admin\AppData\Local\Temp\5dfa6493d9527f086cd8ce55daa5e9dbc98dd0909a1accd25db2764c58fb0c2c.exe"
              4⤵
              • Executes dropped EXE
              PID:2720
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2540
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2492
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2712
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2436

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            b5b1f5646542e384afa7df94f5558dc1

            SHA1

            c08ac0f9d2982247414cdfc901e89fe2b2d7d6d8

            SHA256

            8b384efa768302ee176fd51c816a434b302162704e0816f06a022592ef08913d

            SHA512

            dcf104b02efddbe58ea4c6ed8bfda1bd6d923aab589038f1871439c649cf88ee7329197e45037bad1bc16c638469941bc260430c4d392f531c47a4162e76a785

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            5264aab343fc1f53c29d1065346d0010

            SHA1

            db43bc0b28b4ada0c5635db50fd0b64410ab76ad

            SHA256

            d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd

            SHA512

            bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a22EC.bat
            Filesize

            722B

            MD5

            a67299e90766d9c8a9db5eea8f7f76ea

            SHA1

            a7bce9ead3d683afe9149978f97e33e80e2901d0

            SHA256

            76bc3cf00c565616336649a9af48fdf43848f552615fdc01111f3a18b02c5848

            SHA512

            ce285484e69a31d6a1968efe8292eae34614228a5a2cdd1df6e951b03b3fa97a1306b551a3e0affe443e00af8382f1c9394a40a4a905f76bfbfb5222fe2fdeca

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\5dfa6493d9527f086cd8ce55daa5e9dbc98dd0909a1accd25db2764c58fb0c2c.exe.exe
            Filesize

            360KB

            MD5

            5fbd45261a2de3bb42f489e825a9a935

            SHA1

            ff388f6e9efe651ec62c4152c1739783e7899293

            SHA256

            9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

            SHA512

            7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            21c31ac73db60142f947a5b68485db7a

            SHA1

            857c9c62c586fca11e3b5ae1a97518fa0a9eec46

            SHA256

            4d957e31bf06c4263f70fdda77e0275065d3501738cd5276d59b0813c1fdc2a2

            SHA512

            72ca302ca87c2c6cc71a3b8b3df8ecbfdd715ff6953b55c06d2c32a3cd6fdd6a02ac60b71c7393e5cf58fa70d61775c0fc5ea9efbcf7f5b824eafa8926b5f49a

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
            Filesize

            9B

            MD5

            1884bfdeea71ff22db39c196f4447c9c

            SHA1

            3eafc7e6e17ba6ce7a087a3588fb1efb596da038

            SHA256

            163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d

            SHA512

            b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

            Download Submit

          • memory/1196-25-0x0000000002E60000-0x0000000002E61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1728-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1728-16-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2872-28-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2872-2973-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2872-4138-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download