Overview

overview

7

Static

static

3

66ad63b45c...49.exe

windows7-x64

7

66ad63b45c...49.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe

  • Size

    717KB

  • MD5

    9c6ae8c00740982ed95dd11ae927a006

  • SHA1

    5ac953d7cee7e348f4a8d530771e74a8292f4f49

  • SHA256

    66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49

  • SHA512

    badec1228b340336ef203ab26ff9b083c5530c328b1f6fafb1fdece0d2b3908de1dff0c8d898c76730249ed13c7d0762a61923258a863a3d7cc3c49faffd53c2

  • SSDEEP

    12288:3LfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:37LOS2opPIXV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe
      "C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:2352
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4347.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe
            "C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe"
            4⤵
            • Executes dropped EXE
            PID:2728
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2548
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2596
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1240

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          b7bb6fde5070f22c2892f8ffa90e21ab

          SHA1

          99b915a961b74560ec71e48bab9140ebf0ff8828

          SHA256

          22241fd7d48785774c50055f9fe6796818868706fbfbbaa47db9abbdf7e58909

          SHA512

          a6b96e2379c22911039024570edca5aba589210683a653b1b06225492972d8a6616b9a85b77a9a77cd05d3279efbdc2894594ebc936b5acd786a08749313aa89

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          79d96b6a2771e7783309bf05ebe7b5c1

          SHA1

          b19da11278224b17598d5b6de189892a83196708

          SHA256

          eb38a47ec49f3f376f53aff58def8c3a0e095bad67e2887d3f58bb4a3c71a19e

          SHA512

          72e30060fd922fc37662d762bc647bf85938986d810057926fe86a1622e1b05fc841bab9ee06ee7855071ed27da3d8fe20d41f03ae68c4c76cc720a7e56d4d68

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a4347.bat
          Filesize

          722B

          MD5

          a8c41c0e80f0b1e30b669b4a4a04d91d

          SHA1

          7b3719e5e5224e69b80ba84f128e1353dc2251bb

          SHA256

          cd40aca9c96a9ddf3597a132f1495da62418749ab5484e5a57f14dc17e4ca98b

          SHA512

          39ae6f45d0e1f59578d2702e6118079f60f42e65b85b43b8cbe7ae6fff63ab12cc05bd85714fb9878ed43b0f0b684cdd50a20227dfb18c14fed9a35f0b97ac2d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe.exe
          Filesize

          684KB

          MD5

          50f289df0c19484e970849aac4e6f977

          SHA1

          3dc77c8830836ab844975eb002149b66da2e10be

          SHA256

          b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

          SHA512

          877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          33KB

          MD5

          2a82d5208360158b3c993c811395e0a6

          SHA1

          7b0769ce4994359e329fd2c93a8d4c7f6a311084

          SHA256

          9c8ff7750281ee54d8fdf3990659d7652c663fb986e029a791f8f051e3bf40f9

          SHA512

          381ab7e6f07b427f2a5a2b9cd5c5914fa45a5edaf70e622969156d7a1deed8c3cab70b55084799d4055ce73324cbdc3acad6b45b83cfcebb25f62354d732b51b

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini
          Filesize

          8B

          MD5

          d8dca68320777bb03e3a6dbdb7624c4f

          SHA1

          094cbdfea49743824e2aaf9c66082c25da2157b1

          SHA256

          ebe46a39e49fe879afd1b4ac0de5c6c62e8e90342cd71aaaf3ec1d84269e9c6e

          SHA512

          9097e8a3df0ae12235002caaef04951ab586d84ea9db1b9952e684b5ab570a033ba1bf047598fca329652cab23a5ec1516e6cd6dbcbd979fd32b9b8afbdf88cc

          Download Submit

        • memory/1228-29-0x0000000002530000-0x0000000002531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2388-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2388-17-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2672-32-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2672-18-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2672-3303-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2672-4152-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download