Overview

overview

8

Static

static

3

a28f7ff1aa...cc.exe

windows7-x64

8

a28f7ff1aa...cc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a28f7ff1aa85e86b58bc19314340205163ad773777e8c37258268e3b0fc6c0cc.exe

  • Size

    187KB

  • MD5

    dd32e3ceece8dc50df275ef9a64e00eb

  • SHA1

    8382ec050cb9505a6611d0473c5f14f7cbba83e6

  • SHA256

    a28f7ff1aa85e86b58bc19314340205163ad773777e8c37258268e3b0fc6c0cc

  • SHA512

    f15bd8099d7eea8bb4551ce4c19bdab3cffd096bc54119b802cb832ccb6f7d901f96a8cc71f2f7f0fe4df3b34bbb60d464bb3212f1a1ed9ff678a054a4bf4397

  • SSDEEP

    3072:2iaY46tGNttyeQLYm1JE4yr9JKfzg5YGSYadyL+PRlndUdlKu4E+jZqMN6:546tGdye41Fyr9YfzzGBz+JJd5vv6

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\a28f7ff1aa85e86b58bc19314340205163ad773777e8c37258268e3b0fc6c0cc.exe
        "C:\Users\Admin\AppData\Local\Temp\a28f7ff1aa85e86b58bc19314340205163ad773777e8c37258268e3b0fc6c0cc.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2868
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1A06.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Users\Admin\AppData\Local\Temp\a28f7ff1aa85e86b58bc19314340205163ad773777e8c37258268e3b0fc6c0cc.exe
              "C:\Users\Admin\AppData\Local\Temp\a28f7ff1aa85e86b58bc19314340205163ad773777e8c37258268e3b0fc6c0cc.exe"
              4⤵
              • Executes dropped EXE
              PID:2260
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2664
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2728
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2196

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            e9ae0e602530e00541d729e159c8d19c

            SHA1

            0bd4f58be99a83ab73316637186170f7b2cc0ede

            SHA256

            5f92d40acd8a863d5eb0319ea9db2a0b1e440d906e0810002a7afa4761a66f6e

            SHA512

            8242678307fc559992316f5ca53df0ed2c030a9d7f056c23ca3d03ed8fa5c28f253d7148e67b8ec5bae20537946bb719c9959ca8858631a9a3b36d04650cd2a3

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            db764a6fc7542a9957d748715344c062

            SHA1

            cabe984ec76ae92718ce9ad0362ec35d6abf4c9b

            SHA256

            f8ba3098b75413ee7d285b68d8f63ef7ef40e997c0d506d89785ff5777a4a590

            SHA512

            f6e1416e896d3f4b7d8035d783dc051bdf64172d0af8d79f38f68b664110b635acea36313f656f1194beb2fc8da711ba09cdc4635db723408487a35c21d54f90

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a1A06.bat
            Filesize

            722B

            MD5

            f08a53ad4c8ccae0b49280601039d379

            SHA1

            c510f3189e94a55842e8dc9aa76313fed1b8d336

            SHA256

            6b8e2d9ae3d19d50dcc7f4107008f99bc765316c9f031f140279856802579d06

            SHA512

            5c1bce921d28e043bed2db180e0f371fa1723b5cd7d01f04bd073351d6b82befa5f7a7a630f5027c2927310e6f8f5aff30c74db7429e25b6992b1c7d37104394

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a28f7ff1aa85e86b58bc19314340205163ad773777e8c37258268e3b0fc6c0cc.exe.exe
            Filesize

            153KB

            MD5

            7030c9615c98953c481553671dd7b9e5

            SHA1

            c83224286ade28626c6dafe3b91301fe7f2d728b

            SHA256

            b16e1af7d41d73ea65b88544ed47990c192c41ffa8e11b78e18c9f74221311b1

            SHA512

            5eb5d804e81c81af9b948ea21b2e08dbefbb52f8239437deb28e3c9ccb59d50a57467b194b01469d81bc6f6ae58b97dff0c86ac8f6546bd1188d67aa10956e03

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            831af9e5c2f307e3bcc422547a18c85d

            SHA1

            2789cdda0fa810ffad5e35383941c7645d0ff544

            SHA256

            d29e10134728cff561db97e9b3ec6106c9b0214a9f8ae50f5c307f652096e620

            SHA512

            9e5358159a5c7ed9ce9f28516618ad5b495993b97b78999b6b7a2bd2cd472000552facb5be246abc0d09d391301a99324ea0a634f5b470de0b444fe674d08e9b

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
            Filesize

            8B

            MD5

            6890820ebb29213eaf25c92e56fd41ee

            SHA1

            b926083cf18461657f09f2a4af604f8fafa4ae29

            SHA256

            ddb532e0e9d9e9a382d9f92ef1e5e26eba608b5f3335f1b711d99044240af3f9

            SHA512

            5ebefef8f75ecb9fce8854606cb41402dabf66347ddbbd1075f5b94a5794fc4ca240c615eee930a6eedfd117e011afd8772aba2db2c83df0f376c84e8f512cda

            Download Submit

          • memory/1208-29-0x0000000002D10000-0x0000000002D11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1776-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1776-17-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2688-33-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2688-19-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2688-3304-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2688-4135-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download