Overview

overview

7

Static

static

3

b88085518c...0b.exe

windows7-x64

7

b88085518c...0b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b88085518cc4ea1bbec6ca6e17b9660b04cf5a9055b0b379ce6024171aba8f0b.exe

  • Size

    963KB

  • MD5

    a28c21369d1de3b4b9c843fad8217ae0

  • SHA1

    88cbcec19b4ea5b1f6c4c102565aa56524410af7

  • SHA256

    b88085518cc4ea1bbec6ca6e17b9660b04cf5a9055b0b379ce6024171aba8f0b

  • SHA512

    21631265b8774d386ab7e99b81d4107b9f822e8331759050fc46dc94bec59a77fbf936e9c50f872f6455bc14f42baabdb39d664a3b047c01985cf1d172573a63

  • SSDEEP

    12288:o1upbRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:o1AkBpDRmi78gkPXlyo0G/jr

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3540
      • C:\Users\Admin\AppData\Local\Temp\b88085518cc4ea1bbec6ca6e17b9660b04cf5a9055b0b379ce6024171aba8f0b.exe
        "C:\Users\Admin\AppData\Local\Temp\b88085518cc4ea1bbec6ca6e17b9660b04cf5a9055b0b379ce6024171aba8f0b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1032
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49EA.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:740
            • C:\Users\Admin\AppData\Local\Temp\b88085518cc4ea1bbec6ca6e17b9660b04cf5a9055b0b379ce6024171aba8f0b.exe
              "C:\Users\Admin\AppData\Local\Temp\b88085518cc4ea1bbec6ca6e17b9660b04cf5a9055b0b379ce6024171aba8f0b.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3408
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3612
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:5040
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1056
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4640

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ded2175b2df67275abae4ba15944c7c6

            SHA1

            15e16af64183f29b566f558c36802e3e34e1205d

            SHA256

            1e717899d86e8cf36ad797b533b4a43a58f9aba162dd8b4d4ee48ed6af64e16a

            SHA512

            5d97130a356fd02f2837680b6d0b0d9c8e2ab37e6a167898acb29b44f35b7feb0d29f6dd2cde547255ba7e83e89ff9563edfe2f2781de84e4e99716c7a6a56b2

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            2d835d4f8e8f55093949a011d2a13342

            SHA1

            0ab05f1fa9c2c53b2ac4d03d685cb0e460c68c58

            SHA256

            f9d02843e907ee2ba15519e6fa504fb6e7f551dcaf7c631802cf51ff44939a9d

            SHA512

            ebfe4e8e22baf2b77d4a23560da83da686d41eb67e50fe5c803d6c1fd464b56af2e041be84fb2ec3314ad107e04658ec591ee8fb21203bc9592bef18e7589b09

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            2186e704236b47c2268b5e251f696330

            SHA1

            101fdc37baf83fed8f6f8b55f1594a13e5060c4f

            SHA256

            ece9f7bb3d56dff6b865be7804d66254865ca7211619d517a7cf35cabba05144

            SHA512

            f0b451724fe6aa486002e6c86951e0089f5bc6f7cca6cf3b0c9cc8fb55cec0e5ae428c5ce00774e7d71b6427261f37573ffe385cac023f213e438fc031fda806

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a49EA.bat
            Filesize

            722B

            MD5

            faf0a1b4cc1a945552b94f80eff687d3

            SHA1

            f4c0870ccb44bac81f54873cd2b8cf098fcb30f4

            SHA256

            82d0c3034f437b799d5ec239f70cff09ec8adcf38eb356eda11b02c633c3454b

            SHA512

            792130f61b3854eb21d08d6468344224dc4d7b3c60671deafcf0534879e363fd375e2b9b931e8296c1ed985a7d99c4793db9b75428fea19a20960d54f5c484e7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\b88085518cc4ea1bbec6ca6e17b9660b04cf5a9055b0b379ce6024171aba8f0b.exe.exe
            Filesize

            930KB

            MD5

            30ac0b832d75598fb3ec37b6f2a8c86a

            SHA1

            6f47dbfd6ff36df7ba581a4cef024da527dc3046

            SHA256

            1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

            SHA512

            505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            02ae2f4f874cd3f8b010ee3e202c593a

            SHA1

            bd9f1e0c977439f32db2d9368f2741eba46d68dc

            SHA256

            b5a4af62bd47eb59cb99abef2d20aefc03881f37fbec23eb45a786ab9b889efe

            SHA512

            8d93eff82209c4934b53f461d8730b9b09e0f353f272cbc4ea81b538f2b3e30eafbc5df8c30a27ba20d1a79a0204063f217f8bb0b4a9497ebb62bc91101ecd83

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini
            Filesize

            8B

            MD5

            87cbd7a2d7bdb443a36ecfb46e39db18

            SHA1

            12aac09be13003e857809ea9434c76126ac39bbf

            SHA256

            fe5e34894849bd441c429cfd17e62e06b828a82b04c9f0e7cadd884d78b326e1

            SHA512

            75b0b484285909c577f97dd2b748e8b6e905b2a37dc8a569519325e67cac8b8932fbbd52c754df787e2a6326a9ca575e5d37372a9635718a310c642457ed17e0

            Download Submit

          • memory/2728-2872-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2728-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2728-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2728-8699-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4976-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4976-9-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download