Overview

overview

7

Static

static

3

6e2ffbdb04...2c.exe

windows7-x64

7

6e2ffbdb04...2c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 18:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6e2ffbdb049d73be86b302b97588c9fb4f2dc0d0c21f9a41437c382b7318bf2c.exe

  • Size

    81KB

  • MD5

    9f4b3adf45b47795392f73eaf0ed7c51

  • SHA1

    c51d070914af476d4f112d2c388c2df9ed64f63f

  • SHA256

    6e2ffbdb049d73be86b302b97588c9fb4f2dc0d0c21f9a41437c382b7318bf2c

  • SHA512

    8436186a5755514bda6990cb613f332389f92de09b90094059b00b966a1120a10ece17952509a25a6f43b7724f8108a1db6c7b9c1b1210c6ffa6fee10a3b302c

  • SSDEEP

    1536:ctTFsxN92ppTSahtA3AA2zHxvuS6YGJYjilZrPMC5V:c16NIv7Mw56Y0ZIC5V

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3240
      • C:\Users\Admin\AppData\Local\Temp\6e2ffbdb049d73be86b302b97588c9fb4f2dc0d0c21f9a41437c382b7318bf2c.exe
        "C:\Users\Admin\AppData\Local\Temp\6e2ffbdb049d73be86b302b97588c9fb4f2dc0d0c21f9a41437c382b7318bf2c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3296
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEA60.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4684
            • C:\Users\Admin\AppData\Local\Temp\6e2ffbdb049d73be86b302b97588c9fb4f2dc0d0c21f9a41437c382b7318bf2c.exe
              "C:\Users\Admin\AppData\Local\Temp\6e2ffbdb049d73be86b302b97588c9fb4f2dc0d0c21f9a41437c382b7318bf2c.exe"
              4⤵
              • Executes dropped EXE
              PID:1724
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2356
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4304
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2160
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:864
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3816
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4480 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1000

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                    Filesize

                    258KB

                    MD5

                    d1b326bb608a3354437f032ccf3cee89

                    SHA1

                    58dd89d939e180fd84c30d4adbeaaaf8ebfbbb26

                    SHA256

                    40e1de27dc92431138539f86ccd5b9f4dcdcdc6da4ef142a29dbf9043d69bce5

                    SHA512

                    85771390400510a38b5bafb0eef63c1b11a5eeaaec9f5fbdcd735d6625971135d237a62f2f357ad912282151bfd351b901a0facd99e4f068f09e3716c8a7473a

                    Download Submit

                  • C:\Program Files\7-Zip\7z.exe
                    Filesize

                    577KB

                    MD5

                    77111fbf259d6efc8ad5b8891c3a75da

                    SHA1

                    d333012b0e69030899dcb68bba166d24143209ae

                    SHA256

                    cb41f765a2c3f357060b75af0373c7ea17faf1177b7bf43288eebf3516092bec

                    SHA512

                    eaaa1b07930afcd979abc614f4195dbbb34dc550698419e397c6a3ac9e16829265a631984e9eef5d51328fe13f3b8b6ca79233471e5d407d94bd8910c3f49e15

                    Download Submit

                  • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
                    Filesize

                    488KB

                    MD5

                    ee67e995cc720bdea9ad5bd16b0ff7bf

                    SHA1

                    8779525e9576a51cd6441b6c35e5e38690c94f34

                    SHA256

                    ef3bfd992ca033aacbe64d6a949a4dc94a3ee19fa7349298541faf08298b1d98

                    SHA512

                    e1aebdd145ea7415867ff44e71a8e3f730f2c8712ca3c79289cc00231fbdb7b03c000d069ac60eb5cd62eff6079cf4fd4595a6016a4c98ea19051767366e4524

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\$$aEA60.bat
                    Filesize

                    722B

                    MD5

                    a998dd2637df5387d7496b70a119b6f0

                    SHA1

                    08ba771ee359efad94ba98e9f7bc2952b402a043

                    SHA256

                    59884f7cb84598c663d621567971d441f7485347a620944987e41cf4d9242f85

                    SHA512

                    c1703db6cecbcd93ee1a8884b970f27066cd850546c0bea90fde710296227841e98da102abfda4fcb4648ef3f887fc1309a31f1a28121b08927b92e9e9ab5d6f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\6e2ffbdb049d73be86b302b97588c9fb4f2dc0d0c21f9a41437c382b7318bf2c.exe.exe
                    Filesize

                    48KB

                    MD5

                    422a02111fabd3e229ffd105d6054f56

                    SHA1

                    7930d07dbc89c1113eec7cbd492daf3a025939b2

                    SHA256

                    2d6bd317e34216f318ce9fb34fbc24e6260b1472930a8c0f126792f8ff821a9e

                    SHA512

                    a46b5f8b6cb3cf2cb9714a0708ff63dfe4b543ab4a651f2b8ab93ce54ae77e8c7f6d67a8d9d4481957ada966f778ac6d1cceb24b1d8bbad2a6bca77b0bc9ea59

                    Download Submit

                  • C:\Windows\Logo1_.exe
                    Filesize

                    33KB

                    MD5

                    164dcc3e93f94c54763d5a450d132c2c

                    SHA1

                    646517979f15f47744437e9f1a6e95a53dec3b69

                    SHA256

                    63a6022b7d3ec4cd5355b8844bf1ef9f93363fbd9ee1a5d09815de70abda8cd6

                    SHA512

                    33785e5e7c26af4d6a5ef5f2504200fd213c8eaf2204e828280fcdb955a032b87fc627cf1c32fdf11cc921715850151098c10691274cd8e78660b538f0381635

                    Download Submit

                  • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
                    Filesize

                    9B

                    MD5

                    7d17b811a66f09661920bf5af1f95ae9

                    SHA1

                    f974fb71f0c9242357d308243f16d5509a0fb040

                    SHA256

                    1ffbf32a83283a76202c268eb3ea579c4b39aa6fb11fc42ad18318286fbf749c

                    SHA512

                    019689bb28dd360a9b3fe6696944854f806ebe877734f4f8533f7c2508d371049a96f6c7bd5dda908ab91686dbfba4a54335cbc6c4d649775e62912f0af730e3

                    Download Submit

                  • memory/228-0-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/228-11-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-734-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-319-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-1519-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-2449-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-3328-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-18-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-4781-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-5015-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-5456-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-5535-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-8-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-5772-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2356-7425-0x0000000000400000-0x0000000000440000-memory.dmp

                    Filesize

                    256KB

                    Download