Overview

overview

7

Static

static

3

7fc6a87341...84.exe

windows7-x64

7

7fc6a87341...84.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fc6a87341b828a44a3b0a1e77c941910567ecd42455540280f444cbcd953684.exe

  • Size

    264KB

  • MD5

    269a181af72cddaee9dc327aa18b1b94

  • SHA1

    45f472e44ee815075620e8d24c5cd1b98dcba645

  • SHA256

    7fc6a87341b828a44a3b0a1e77c941910567ecd42455540280f444cbcd953684

  • SHA512

    ec17494ac9f7047db4b121f347d9613dbb121ff3ef9b5ed3db2d5f447747e3f1eda59f5399c7bf5174abb364d412fc981371b34d03f32c50574f52047f224c95

  • SSDEEP

    3072:eqfZQioJK+LRkgUA1nQZwFGVO4Mqg+WDY:RALRp1nQ4QLd

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\7fc6a87341b828a44a3b0a1e77c941910567ecd42455540280f444cbcd953684.exe
        "C:\Users\Admin\AppData\Local\Temp\7fc6a87341b828a44a3b0a1e77c941910567ecd42455540280f444cbcd953684.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1772
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8472.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2276
            • C:\Users\Admin\AppData\Local\Temp\7fc6a87341b828a44a3b0a1e77c941910567ecd42455540280f444cbcd953684.exe
              "C:\Users\Admin\AppData\Local\Temp\7fc6a87341b828a44a3b0a1e77c941910567ecd42455540280f444cbcd953684.exe"
              4⤵
              • Executes dropped EXE
              PID:4300
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3884
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4944
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2140
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3724
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4072

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            04292561ba2aba3e3a601289830caa80

            SHA1

            c8f265235ecb51271cd561fd05de49fed3a31e63

            SHA256

            5ad40234f4f77e8781f988f81b9a45c0c7e1e02b8be413fd08ae88a637fc6b5f

            SHA512

            f06cd9e09c95a0a8cd29ed61c60d14a2238a75936a6c14761a96e9a980995b12b4c68e9b25ae71351569ee85a9c82d62845ca4c98789edce2ecb4f10ea8a8e96

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            da2dfbd8df295c78eea901539f9774d9

            SHA1

            021401f152e3a680e4967612009d43157c4f3863

            SHA256

            6446935bda420f0068c8fc5e26d702377c3b84db7031c0cbf5cc9c7275dcda0b

            SHA512

            9a73bd30743652da5dbd31d5761721db49008022dc0af6fb70aee8e2999b26708f98ed18baec012ab775fb84fc203e76b11e4731e0ace6b491543514e8c40a7a

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            c08994604c02bf7431e4c46295a779d5

            SHA1

            7f526582e292083589253bbc8b2cd093b2229ff2

            SHA256

            218bfecab8804a634b05ebcedc30eab7aa8fa8ed5775495ba9545517c311f00e

            SHA512

            13d9b746d0fe6922ecff9b5bf0ac896a63da11610341d4a7701e2a8d8fc5c0511d7bd9f4f54d3756b770998601b4f7b39b7e5c36d824dd42470fb0b499065c34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a8472.bat
            Filesize

            722B

            MD5

            b1b6f2482b3f8f2f5c6e43a22bd7a174

            SHA1

            a337cba18c9d771dfb2ba7d41b8841a8b22f8210

            SHA256

            c3a88df565216a5d7bca8e73dfdab672f650e62d47007283e3a26697d953d308

            SHA512

            ae733b2dda187dad84e6738bf13da850e9b225bb7aaf25cc1e047c39da2f6558eaaa05a034bf8239cc0263ee81c67513b38a524fe688a1098be3ff159da775d3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7fc6a87341b828a44a3b0a1e77c941910567ecd42455540280f444cbcd953684.exe.exe
            Filesize

            231KB

            MD5

            6f581a41167d2d484fcba20e6fc3c39a

            SHA1

            d48de48d24101b9baaa24f674066577e38e6b75c

            SHA256

            3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

            SHA512

            e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            d0bf17afb93d3be28090ab1ed2c1ece4

            SHA1

            12d64437cb233881ed299dc8325af47987c3d4bf

            SHA256

            f19c0618a7103d8ce02b8e6942c5bfe0820f37e34d18df79952178f80db6f87d

            SHA512

            2dfa4af5fe4430442cd16fc4efadc027ebe93873ba2cb323e71f4034ca9373c50fa602a74e35715a36dc272e34559c48f545c3c6e8a9ab9b29a34132d01feeed

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1403246978-718555486-3105247137-1000\_desktop.ini
            Filesize

            8B

            MD5

            62ed51082fc4fc1bd95074d15b55235d

            SHA1

            80c24bf5b2829be9d39199229ec9396e371f4080

            SHA256

            8aaff1179c8780f4fee8d0594a58b0c3a9e7b013a76908bd05dac636f7af1302

            SHA512

            19aecc53c5cebcecf9c5889e305e1129ebbdf42d1c414713aa2a4a98e8725ad156f6cd72562f7bb3001ee8d33ed8d5d47704f757001913117633b5151e6aeaf4

            Download Submit

          • memory/3884-2752-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3884-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3884-8-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3884-8666-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4948-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4948-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download