Overview

overview

8

Static

static

3

87c0679665...e7.exe

windows7-x64

8

87c0679665...e7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 23:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87c067966525383be9e85c1cc446e0f40436973eae09f78f5edc1d699763eae7.exe

  • Size

    5.7MB

  • MD5

    e9940858b5ee06d4f0f9769a0ad3e886

  • SHA1

    9ccf251a137220d86cb26de950baf137e72aa2c9

  • SHA256

    87c067966525383be9e85c1cc446e0f40436973eae09f78f5edc1d699763eae7

  • SHA512

    4839dded2e73a52b92a7d7be321361a6efefb9b26140a0dc0caf87ec52329e9579f61b27f409d571129110b47a38f6aa9b88ec7a7ad5cf2e8c10f7d8685077b1

  • SSDEEP

    49152:9d+Pv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTP:9dAKUgTH2M2m9UMpu1QfLczqssnKSk

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\87c067966525383be9e85c1cc446e0f40436973eae09f78f5edc1d699763eae7.exe
        "C:\Users\Admin\AppData\Local\Temp\87c067966525383be9e85c1cc446e0f40436973eae09f78f5edc1d699763eae7.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3DBC.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            PID:2592
            • C:\Users\Admin\AppData\Local\Temp\87c067966525383be9e85c1cc446e0f40436973eae09f78f5edc1d699763eae7.exe
              "C:\Users\Admin\AppData\Local\Temp\87c067966525383be9e85c1cc446e0f40436973eae09f78f5edc1d699763eae7.exe"
              4⤵
              • Executes dropped EXE
              PID:2748
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2612
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2648
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2524
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2400

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            159d118fb71764ddba5b2b399afc2968

            SHA1

            183d2bef4d041a18ce2db45aff24b1bae5c7cf64

            SHA256

            4716c91e0dba7b83006ab7012d0b910e7131934d13f45ef8c9cd36a55a7e25a5

            SHA512

            17d465442659eacc06f8b5958e5c6fdfdb15808a56110f4a8f89d0d7644e88208ec81480d21452c09aa7817a1da93fa8536b0431544b56fff3dcfa45c0163e79

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            db764a6fc7542a9957d748715344c062

            SHA1

            cabe984ec76ae92718ce9ad0362ec35d6abf4c9b

            SHA256

            f8ba3098b75413ee7d285b68d8f63ef7ef40e997c0d506d89785ff5777a4a590

            SHA512

            f6e1416e896d3f4b7d8035d783dc051bdf64172d0af8d79f38f68b664110b635acea36313f656f1194beb2fc8da711ba09cdc4635db723408487a35c21d54f90

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3DBC.bat
            Filesize

            722B

            MD5

            a6af6d8767bea9e53edda46e02f7eec7

            SHA1

            421245e829df54231c35e2ebb54d3d1d2661e05f

            SHA256

            3a9f844bc95cc3aa9171a19f1a8d6e44de6537b2f9d3432f9a98c58043ce0c3e

            SHA512

            0f0f191bd04e8e66f623c64cab0adf32635b9b8b86610b1f6e9f6eb244dafc4a7e75f880959d770f7dab432ae221e274bd17c7285e001f8c07439b127f8b183f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\87c067966525383be9e85c1cc446e0f40436973eae09f78f5edc1d699763eae7.exe.exe
            Filesize

            5.7MB

            MD5

            ba18e99b3e17adb5b029eaebc457dd89

            SHA1

            ec0458f3c00d35b323f08d4e1cc2e72899429c38

            SHA256

            f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

            SHA512

            1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            e0f9a37b72e5e3237cb283d20651e2db

            SHA1

            b1055194f19a5777e7e5d2195e807886c71fb3cc

            SHA256

            9676ec4967a7fb53d0f71547bd3017ce0325262a26ff4dd373671f9837edfdee

            SHA512

            da154ddd63b27cc028128f53acac7ba0b72fb159cd0024b48666af0fa1777409c010272fe1d5524804cec9247ff3502ebde13f4bc0db82b5859a394524f67533

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini
            Filesize

            8B

            MD5

            6890820ebb29213eaf25c92e56fd41ee

            SHA1

            b926083cf18461657f09f2a4af604f8fafa4ae29

            SHA256

            ddb532e0e9d9e9a382d9f92ef1e5e26eba608b5f3335f1b711d99044240af3f9

            SHA512

            5ebefef8f75ecb9fce8854606cb41402dabf66347ddbbd1075f5b94a5794fc4ca240c615eee930a6eedfd117e011afd8772aba2db2c83df0f376c84e8f512cda

            Download Submit

          • memory/1216-31-0x0000000002D80000-0x0000000002D81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2616-19-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2616-35-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2616-3306-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2616-4137-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2984-21-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2984-18-0x0000000000440000-0x000000000047E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2984-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2984-17-0x0000000000440000-0x000000000047E000-memory.dmp

            Filesize

            248KB

            Download