Overview

overview

8

Static

static

3

eebd2d7fc3...2e.exe

windows7-x64

8

eebd2d7fc3...2e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 14:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eebd2d7fc35ab24506c583b4afb2e78fec41a8b4e1e380e4b89aefeab605652e.exe

  • Size

    67KB

  • MD5

    a88ec8166ce59956160f38e876da25a6

  • SHA1

    6e184af2c66d0cca5a65644d8d7265177a131f79

  • SHA256

    eebd2d7fc35ab24506c583b4afb2e78fec41a8b4e1e380e4b89aefeab605652e

  • SHA512

    7665547557e83551c08d71f9e29ed73186bb8ef7c7b4052782f50e60512f72543bf937e964efd4ccabad157e10998905cc37b56434abb73744b45ec4cb047ab4

  • SSDEEP

    1536:2AaYzMXqtGNttyeiZnZLYm1ab4yzwC132n6sLDDO:2AaY46tGNttyeQLYm1ab4yzjsLXO

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\eebd2d7fc35ab24506c583b4afb2e78fec41a8b4e1e380e4b89aefeab605652e.exe
        "C:\Users\Admin\AppData\Local\Temp\eebd2d7fc35ab24506c583b4afb2e78fec41a8b4e1e380e4b89aefeab605652e.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2880
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1DBE.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3016
            • C:\Users\Admin\AppData\Local\Temp\eebd2d7fc35ab24506c583b4afb2e78fec41a8b4e1e380e4b89aefeab605652e.exe
              "C:\Users\Admin\AppData\Local\Temp\eebd2d7fc35ab24506c583b4afb2e78fec41a8b4e1e380e4b89aefeab605652e.exe"
              4⤵
              • Executes dropped EXE
              PID:2584
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2964
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2832
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2976
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1424
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2492

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                  Filesize

                  258KB

                  MD5

                  270a549dbafb0fb7fa660eadaf0d8a4e

                  SHA1

                  181c2aaaf54c3e8ffd5922822a41ab14f015153f

                  SHA256

                  05325bf572907265fc86e58afb52b5f2f27346ba22ef88a9425ad932413598f2

                  SHA512

                  da76a46ce277feece3fba16b7da68351867831e634354cc0435689cbe0e7274c7cc41cf2e00da31f5a28c5f53aaa9e80aa0b50f02495a600b296041332dc4600

                  Download Submit

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  478KB

                  MD5

                  db764a6fc7542a9957d748715344c062

                  SHA1

                  cabe984ec76ae92718ce9ad0362ec35d6abf4c9b

                  SHA256

                  f8ba3098b75413ee7d285b68d8f63ef7ef40e997c0d506d89785ff5777a4a590

                  SHA512

                  f6e1416e896d3f4b7d8035d783dc051bdf64172d0af8d79f38f68b664110b635acea36313f656f1194beb2fc8da711ba09cdc4635db723408487a35c21d54f90

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a1DBE.bat
                  Filesize

                  722B

                  MD5

                  479e9bc4c66da84aae412d8193867a5c

                  SHA1

                  c8678fa6cee077d41d074d3de70004c593a2d82f

                  SHA256

                  85b227c1d8db92a1031946058ab1f7eee72843188f12a44d10ec5f50ff69dfaf

                  SHA512

                  90cdc9e8b1c4642d6332b5ffc2b588241234e101a72a8b4663deea376c2a7f40856897810415da0193bbaf3cde9fefd1e60c5eda6efd221fd06b39489e0b019a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\eebd2d7fc35ab24506c583b4afb2e78fec41a8b4e1e380e4b89aefeab605652e.exe.exe
                  Filesize

                  33KB

                  MD5

                  f8b1348f68d380115f37de85ca68d3b4

                  SHA1

                  1e2977c49dd8d52d1db3c1f14e32205c7efacfa6

                  SHA256

                  9cbd9a06aba24333d873174149ca30fe5c64c767586cec1a3c833eb6880c53ee

                  SHA512

                  0de9ddb66b52baa31a57689f781676839ca45a7d5e9cde9f57e96aa5c2c1118187dd1948e719b0c0fcbbe01da5c3ecdfc7caa6f32ba2dad940a4b2db668a384a

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  ea65b781652b62c3a0f1d5b57952b05f

                  SHA1

                  89ab371b083f9d9f72fa05badaa3315eecb7fa8b

                  SHA256

                  c64152623bb1e50c6c15389011dc85fd00553d4eb5f6acb6250371187db48a0c

                  SHA512

                  20ef3c08c01e05e8a466e1ede5d4ec0190219bd7252f866da885c77b2d079cac658db130219565dfbce7c132408ebdc15878ccd09ae79df6ff606e25ee5a6eb3

                  Download Submit

                • C:\Windows\system32\drivers\etc\hosts
                  Filesize

                  832B

                  MD5

                  7e3a0edd0c6cd8316f4b6c159d5167a1

                  SHA1

                  753428b4736ffb2c9e3eb50f89255b212768c55a

                  SHA256

                  1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

                  SHA512

                  9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
                  Filesize

                  8B

                  MD5

                  6890820ebb29213eaf25c92e56fd41ee

                  SHA1

                  b926083cf18461657f09f2a4af604f8fafa4ae29

                  SHA256

                  ddb532e0e9d9e9a382d9f92ef1e5e26eba608b5f3335f1b711d99044240af3f9

                  SHA512

                  5ebefef8f75ecb9fce8854606cb41402dabf66347ddbbd1075f5b94a5794fc4ca240c615eee930a6eedfd117e011afd8772aba2db2c83df0f376c84e8f512cda

                  Download Submit

                • memory/1232-31-0x0000000002E50000-0x0000000002E51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2136-17-0x0000000000230000-0x000000000026E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2136-37-0x0000000000230000-0x000000000026E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2136-0-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2136-18-0x0000000000230000-0x000000000026E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2136-19-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2964-23-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2964-35-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2964-3311-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2964-4138-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download