Overview

overview

7

Static

static

3

2219bd18ea...51.exe

windows7-x64

7

2219bd18ea...51.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2219bd18ead73409ea46cb3faa1f0bccf674102f40c772bd174b0ca592a1dc51.exe

  • Size

    66KB

  • MD5

    7aa38d016ee38cfd82ce40156f98958c

  • SHA1

    12e95a58e56007abb5efb3c5de80954e12c64779

  • SHA256

    2219bd18ead73409ea46cb3faa1f0bccf674102f40c772bd174b0ca592a1dc51

  • SHA512

    6ce66e4bfa00f65b6e61aa1a0c42a1ce76b6b32f33ec677ca9a81a65a73ccc0b73da63aec53b8233c72624911c90a550c38ffcb4492ab3469f57cf269fa0ea48

  • SSDEEP

    1536:eNPrPrBcx1ae9n40g9i/qo6SKH4vVfqzlledcTJzz:eLfZQioJKYvVfqzlvTJ3

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\2219bd18ead73409ea46cb3faa1f0bccf674102f40c772bd174b0ca592a1dc51.exe
        "C:\Users\Admin\AppData\Local\Temp\2219bd18ead73409ea46cb3faa1f0bccf674102f40c772bd174b0ca592a1dc51.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1712
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB616.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:872
            • C:\Users\Admin\AppData\Local\Temp\2219bd18ead73409ea46cb3faa1f0bccf674102f40c772bd174b0ca592a1dc51.exe
              "C:\Users\Admin\AppData\Local\Temp\2219bd18ead73409ea46cb3faa1f0bccf674102f40c772bd174b0ca592a1dc51.exe"
              4⤵
              • Executes dropped EXE
              PID:2748
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1844
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2172
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2704
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2816
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2752

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            61da47408434aa255916c0f52f0a70a1

            SHA1

            f4a662581634ea88ea91fa3df9bcbbbda28594fd

            SHA256

            1c96935deb9a27e9d7e634faea6ec85df1bd81965b0102cdaef916867c9b1223

            SHA512

            8e895afa682468c20db63a23bcb7e6e5c4791858abf482536e38a9c0182272cc00f4b4687d9e4870e9fa7d18e821c9aeb8b73ea539020a9f7bf798ba05f8ffb3

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            79d96b6a2771e7783309bf05ebe7b5c1

            SHA1

            b19da11278224b17598d5b6de189892a83196708

            SHA256

            eb38a47ec49f3f376f53aff58def8c3a0e095bad67e2887d3f58bb4a3c71a19e

            SHA512

            72e30060fd922fc37662d762bc647bf85938986d810057926fe86a1622e1b05fc841bab9ee06ee7855071ed27da3d8fe20d41f03ae68c4c76cc720a7e56d4d68

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aB616.bat
            Filesize

            722B

            MD5

            5ddc07cb6e9bd2058c828159fa5dd699

            SHA1

            db7e9b2e38d420f7e49d54a02df0c081aaf2ca5c

            SHA256

            7970ff9215808678637f1a39ec0d63bd783e86422ab6db41378274f225a327c2

            SHA512

            726d38eaf600d99e70b6cbd36af1c37e22d35007c961bbf1226b2f98d0afba20af8da3fc01fc7f31f3d52c9bc2412fc0fb025d8e79c0fec116fba045bbca4077

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\2219bd18ead73409ea46cb3faa1f0bccf674102f40c772bd174b0ca592a1dc51.exe.exe
            Filesize

            33KB

            MD5

            64f8db30b16d1c755d033d069c70d2d1

            SHA1

            04e8f26c383027cc63531f48477424bda65b14e5

            SHA256

            0823bf7a2c453892ffa4328a970a417e0907d584bfb7f819ed0f4bb139d12e55

            SHA512

            f461b40de656e6df6360a1ba393b000720c0ffa91147b00ee42aefccb4122da4314ce4de00364e692a0517f5e6643fe061b232fb316e993642f2d43b393b38aa

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            5ed5a2badb346b8b0790c924c99df3dd

            SHA1

            3278569b20ddea011e20405c09b01726934f4d4f

            SHA256

            6cdfe0439de7d0626e8f6a39ee64ffee03797346b8bf3bf6b5c8a17da654fda3

            SHA512

            85d6dd616dac0203c1168139f2367792323d4c2b34febb9e562e2d3ad145bbe8b6912786e2e485de9102014608d96ada2faad08976cc35d7494a36d8de8ee11d

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini
            Filesize

            8B

            MD5

            d8dca68320777bb03e3a6dbdb7624c4f

            SHA1

            094cbdfea49743824e2aaf9c66082c25da2157b1

            SHA256

            ebe46a39e49fe879afd1b4ac0de5c6c62e8e90342cd71aaaf3ec1d84269e9c6e

            SHA512

            9097e8a3df0ae12235002caaef04951ab586d84ea9db1b9952e684b5ab570a033ba1bf047598fca329652cab23a5ec1516e6cd6dbcbd979fd32b9b8afbdf88cc

            Download Submit

          • memory/1124-27-0x0000000002D60000-0x0000000002D61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1844-31-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1844-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1844-3306-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1844-4114-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2368-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2368-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download