Overview

overview

7

Static

static

3

95d40f5e75...57.exe

windows7-x64

7

95d40f5e75...57.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe

  • Size

    264KB

  • MD5

    5dc6df8fcb77a829557c591d8f0711f7

  • SHA1

    cb6d58da5284de15e536217540c6e4b96b4c38b0

  • SHA256

    95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857

  • SHA512

    8b890e1f9f0a84ad1d195100286538fe8ba586cfe9fa305b1fb9cee12d7cd3c05dcc8082f8b3afb4d628fd211e8650dbc3106a5be78dbe390337c63b20a6ea76

  • SSDEEP

    3072:eXfZQioJK+LRkgUA1nQZwFGVO4Mqg+WDY:sALRp1nQ4QLd

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
        "C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2952
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF73A.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
              "C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe"
              4⤵
              • Executes dropped EXE
              PID:2540
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2712
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2556
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3024
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1000

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            c031b4deb10e992ecc2fca24f69450e1

            SHA1

            d28ada07ce8378dbc4e907f3b1448ec9a113b72e

            SHA256

            c30dd1399eb0902d404a7621f178fbb3fbc35f54990633d7eaf7c1c6adcd347b

            SHA512

            ef69c695a9db7a4bfee74d158120319b68e33dd640b20c87ef5040883e3cc091a542781030eaf106f410e24b0b8d9720c57bd8f7a9c9e8cc79e2b31c582432b3

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            79d96b6a2771e7783309bf05ebe7b5c1

            SHA1

            b19da11278224b17598d5b6de189892a83196708

            SHA256

            eb38a47ec49f3f376f53aff58def8c3a0e095bad67e2887d3f58bb4a3c71a19e

            SHA512

            72e30060fd922fc37662d762bc647bf85938986d810057926fe86a1622e1b05fc841bab9ee06ee7855071ed27da3d8fe20d41f03ae68c4c76cc720a7e56d4d68

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aF73A.bat
            Filesize

            722B

            MD5

            09e6ce51331e1f14e0d8b299825cca3e

            SHA1

            d54663bb6c4f1a21272b2364f5269d84835debcf

            SHA256

            0330de5c4057406e5d1d9544465f1b6db92e81dc4396303384534784cb8841be

            SHA512

            4b3dad372482217b8f7b9d969abc428ced2596ac342d6118bb805cb21e9efd5135f535920fe93595e77895c0906fae9c931199723366a0fb3b3afed0d91060c9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe.exe
            Filesize

            231KB

            MD5

            6f581a41167d2d484fcba20e6fc3c39a

            SHA1

            d48de48d24101b9baaa24f674066577e38e6b75c

            SHA256

            3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

            SHA512

            e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            55f0baaeeb761a40ade638b231978a1a

            SHA1

            43285993b9512b483c283e6628f510f11638e516

            SHA256

            26721debf0e04b4ebf38931d8c44e2d985651d0cbc590a06de7a68b93b848479

            SHA512

            56c48ef92de26cb0d373d06ad4ddc49687681de59d9156a7f1bb34f3743bb6b38d5ae991370c60efc04a3a69da5d4a43e035fdc4e179b523ac7ab62c6df3a717

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini
            Filesize

            8B

            MD5

            d8dca68320777bb03e3a6dbdb7624c4f

            SHA1

            094cbdfea49743824e2aaf9c66082c25da2157b1

            SHA256

            ebe46a39e49fe879afd1b4ac0de5c6c62e8e90342cd71aaaf3ec1d84269e9c6e

            SHA512

            9097e8a3df0ae12235002caaef04951ab586d84ea9db1b9952e684b5ab570a033ba1bf047598fca329652cab23a5ec1516e6cd6dbcbd979fd32b9b8afbdf88cc

            Download Submit

          • memory/1196-28-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2644-17-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2644-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2644-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-32-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-3303-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-4152-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download