Overview

overview

7

Static

static

3

08c798996a...b1.exe

windows7-x64

7

08c798996a...b1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08c798996ada4602afc5bf6e8e280c310e9bd2b161eee0e0bbe4d490d20c4ab1.exe

  • Size

    491KB

  • MD5

    8d4898f677252c2953ab6c5b8af822ce

  • SHA1

    3293eb54e3dc333a25619fe246eaa266ab38babc

  • SHA256

    08c798996ada4602afc5bf6e8e280c310e9bd2b161eee0e0bbe4d490d20c4ab1

  • SHA512

    296cbf44843f178ca82ade8674a89e91b431fa26e6ada263aa5ffb738e39bfe638082305673f803d5f3b8fa8885e1b785a5fca609c60deed12b3570fcdb2c3c5

  • SSDEEP

    6144:rqulrz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV4:rd1gL5pRTcAkS/3hzN8qE43fm78V

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\08c798996ada4602afc5bf6e8e280c310e9bd2b161eee0e0bbe4d490d20c4ab1.exe
        "C:\Users\Admin\AppData\Local\Temp\08c798996ada4602afc5bf6e8e280c310e9bd2b161eee0e0bbe4d490d20c4ab1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2776
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1DAE.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Users\Admin\AppData\Local\Temp\08c798996ada4602afc5bf6e8e280c310e9bd2b161eee0e0bbe4d490d20c4ab1.exe
              "C:\Users\Admin\AppData\Local\Temp\08c798996ada4602afc5bf6e8e280c310e9bd2b161eee0e0bbe4d490d20c4ab1.exe"
              4⤵
              • Executes dropped EXE
              PID:2808
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2840
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2556
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2392
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1188

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            920aa02bc54d3ba29c445e3a171fc5ea

            SHA1

            1c58fd6fdfa1c582a442a34d4725d61a850b0363

            SHA256

            05867d8f2ececd59d608188da2ce1a18fa0bc388c4896778c1909e36039db537

            SHA512

            9d34fa3a6f4111d95c7086d31984dd6fdd606a50e567f4f75d798e5a8bebcfbe2952056cc23fcdd0d6e51780f7dd1dd41101a1f067bbbb7002710d59d40d0a3c

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            85bfd80e5e2a61689d1273c6efa51ccc

            SHA1

            8ae8a160124cc56983f24a933fbecdac08da435a

            SHA256

            892cf1575e0cc60639951f9a5a37323f3ca7d06f335e8a39635c3b858596ea3c

            SHA512

            96dd851f4d17a65aa6dfddfdc134a46d30b0417451b4c4b31092b66056cae59302d49b706294547e5766e347dc368ff4bd176d90376c5e2ad5c7a52aa8718a79

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a1DAE.bat
            Filesize

            722B

            MD5

            961b5d98aadb9481aa0da2b4a98d80fa

            SHA1

            5e14a67e1be8dae262911201d72c517e29cc53cc

            SHA256

            92d5929efc71cf46f1d4c01b722d55c22e31132d60eaf0208154118e207df9a5

            SHA512

            9d5728c4081970f74e6c159ddc1820b7c9c7aaf0129cbb2866435b91363f9c7a9fe50c30a0add9f20f0c725d851525cc8e1e4ad53276286e57e6555256f18844

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\08c798996ada4602afc5bf6e8e280c310e9bd2b161eee0e0bbe4d490d20c4ab1.exe.exe
            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            933403c035bedeaf409ff1a3d7bb394f

            SHA1

            27765fb7a74adda8b6b4d740a79e83fca3301e79

            SHA256

            11a73da3698c3448e24744bdc72a155bb756676dcc7e03264d723ca91ce87a54

            SHA512

            36f17b6beb74f2d11cf74a211719c0ab5c09ad289055917168cdb1d3355cfdf2cd917f008e3c8b51d408d1f6dd1fdda692e50c6dcbeeaf4917adad7cc769b2d0

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2812790648-3157963462-487717889-1000\_desktop.ini
            Filesize

            8B

            MD5

            87cbd7a2d7bdb443a36ecfb46e39db18

            SHA1

            12aac09be13003e857809ea9434c76126ac39bbf

            SHA256

            fe5e34894849bd441c429cfd17e62e06b828a82b04c9f0e7cadd884d78b326e1

            SHA512

            75b0b484285909c577f97dd2b748e8b6e905b2a37dc8a569519325e67cac8b8932fbbd52c754df787e2a6326a9ca575e5d37372a9635718a310c642457ed17e0

            Download Submit

          • memory/1224-28-0x0000000002550000-0x0000000002551000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2760-32-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2760-17-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2760-3001-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2760-4154-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2872-16-0x00000000003C0000-0x0000000000400000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2872-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2872-19-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download