Overview

overview

7

Static

static

3

d508eebaa8...c8.exe

windows7-x64

7

d508eebaa8...c8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d508eebaa8bf7cf2592b0355d3f11abf871ba1156919055e06f3c7e52246a9c8.exe

  • Size

    2.8MB

  • MD5

    5fde9d0c604f3f9d8f0bb79dcccf461d

  • SHA1

    b6b95a97c37c6e282c8d5218398240c4320f4230

  • SHA256

    d508eebaa8bf7cf2592b0355d3f11abf871ba1156919055e06f3c7e52246a9c8

  • SHA512

    559c7eee8a4a2a3555c76a2daf89633d00f6fe3a641fe61c0040c2ef65e1dfa598f718e20701a22a0bc3b55da214cc0a032b842ac3b6b2974c7786cfb3a6e8b1

  • SSDEEP

    49152:l6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:4d1XdhBiiMa7

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\d508eebaa8bf7cf2592b0355d3f11abf871ba1156919055e06f3c7e52246a9c8.exe
        "C:\Users\Admin\AppData\Local\Temp\d508eebaa8bf7cf2592b0355d3f11abf871ba1156919055e06f3c7e52246a9c8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:808
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a29A0.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            PID:2360
            • C:\Users\Admin\AppData\Local\Temp\d508eebaa8bf7cf2592b0355d3f11abf871ba1156919055e06f3c7e52246a9c8.exe
              "C:\Users\Admin\AppData\Local\Temp\d508eebaa8bf7cf2592b0355d3f11abf871ba1156919055e06f3c7e52246a9c8.exe"
              4⤵
              • Executes dropped EXE
              PID:2716
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2712
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2988
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2748
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2596

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ded2175b2df67275abae4ba15944c7c6

            SHA1

            15e16af64183f29b566f558c36802e3e34e1205d

            SHA256

            1e717899d86e8cf36ad797b533b4a43a58f9aba162dd8b4d4ee48ed6af64e16a

            SHA512

            5d97130a356fd02f2837680b6d0b0d9c8e2ab37e6a167898acb29b44f35b7feb0d29f6dd2cde547255ba7e83e89ff9563edfe2f2781de84e4e99716c7a6a56b2

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            ec52a7c41d8fe6a425af4a49d3ff8692

            SHA1

            06d3654358703be938fcee47e29e38ee38702b59

            SHA256

            45b71822efada34915ef05af5fa772700dc0981a7ec84b5f3ff938fc522e2e48

            SHA512

            f3cd793d93823527a7dce92032774f0b4b8656ba5234251f27c4ff203811a54649b93c12bff4e374d3950652897b0e1c51845caea57c86593d45cc3d060b348b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a29A0.bat
            Filesize

            722B

            MD5

            c7564b7f576eeaa753ce73d3a5fec0c5

            SHA1

            b54399e747265eb983271eede59a73e9f07d66a1

            SHA256

            0e5e0b0add29b9933ba5885189ccebc9a01a1213fbb04e8f924678767616c926

            SHA512

            0b2c5bcf76d0238010b099ba5468adf65b7070df000328c0d179e29b32ce680b96d7b8d92330438221174f4eb30d8e502b48702491527568e8e4e5adb72723b3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d508eebaa8bf7cf2592b0355d3f11abf871ba1156919055e06f3c7e52246a9c8.exe.exe
            Filesize

            2.8MB

            MD5

            095092f4e746810c5829038d48afd55a

            SHA1

            246eb3d41194dddc826049bbafeb6fc522ec044a

            SHA256

            2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

            SHA512

            7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            02ae2f4f874cd3f8b010ee3e202c593a

            SHA1

            bd9f1e0c977439f32db2d9368f2741eba46d68dc

            SHA256

            b5a4af62bd47eb59cb99abef2d20aefc03881f37fbec23eb45a786ab9b889efe

            SHA512

            8d93eff82209c4934b53f461d8730b9b09e0f353f272cbc4ea81b538f2b3e30eafbc5df8c30a27ba20d1a79a0204063f217f8bb0b4a9497ebb62bc91101ecd83

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
            Filesize

            8B

            MD5

            87cbd7a2d7bdb443a36ecfb46e39db18

            SHA1

            12aac09be13003e857809ea9434c76126ac39bbf

            SHA256

            fe5e34894849bd441c429cfd17e62e06b828a82b04c9f0e7cadd884d78b326e1

            SHA512

            75b0b484285909c577f97dd2b748e8b6e905b2a37dc8a569519325e67cac8b8932fbbd52c754df787e2a6326a9ca575e5d37372a9635718a310c642457ed17e0

            Download Submit

          • memory/1196-29-0x0000000002E90000-0x0000000002E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2408-15-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2408-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2408-17-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2408-20-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-33-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-3308-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-4134-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download