Overview

overview

7

Static

static

3

66ad63b45c...49.exe

windows7-x64

7

66ad63b45c...49.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe

  • Size

    717KB

  • MD5

    9c6ae8c00740982ed95dd11ae927a006

  • SHA1

    5ac953d7cee7e348f4a8d530771e74a8292f4f49

  • SHA256

    66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49

  • SHA512

    badec1228b340336ef203ab26ff9b083c5530c328b1f6fafb1fdece0d2b3908de1dff0c8d898c76730249ed13c7d0762a61923258a863a3d7cc3c49faffd53c2

  • SSDEEP

    12288:3LfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:37LOS2opPIXV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3568
      • C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe
        "C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3148
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDCB4.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe
              "C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe"
              4⤵
              • Executes dropped EXE
              PID:692
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1156
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4488
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:400
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1796
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4532

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            b7bb6fde5070f22c2892f8ffa90e21ab

            SHA1

            99b915a961b74560ec71e48bab9140ebf0ff8828

            SHA256

            22241fd7d48785774c50055f9fe6796818868706fbfbbaa47db9abbdf7e58909

            SHA512

            a6b96e2379c22911039024570edca5aba589210683a653b1b06225492972d8a6616b9a85b77a9a77cd05d3279efbdc2894594ebc936b5acd786a08749313aa89

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            c315adaf760b7931a892a52d7ef2916d

            SHA1

            cff21db5597911d3f0484714405b77c65dd90ecf

            SHA256

            19cc7c6560ca552e3cd1b0c65f35bf83205459b9aad17e84d3441be750ec0b2a

            SHA512

            bd3aa11e164368aa3b908fa01b040815a9963302dd7af9ae6d1db1f9cf6567be9c10794bde4e450c971b02abd861906f2e543645267ccffc3880211d86b9730f

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            c08994604c02bf7431e4c46295a779d5

            SHA1

            7f526582e292083589253bbc8b2cd093b2229ff2

            SHA256

            218bfecab8804a634b05ebcedc30eab7aa8fa8ed5775495ba9545517c311f00e

            SHA512

            13d9b746d0fe6922ecff9b5bf0ac896a63da11610341d4a7701e2a8d8fc5c0511d7bd9f4f54d3756b770998601b4f7b39b7e5c36d824dd42470fb0b499065c34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aDCB4.bat
            Filesize

            722B

            MD5

            aa95b0d5799c69d197682a2e4584b7f5

            SHA1

            616ae472dbf0b6d1eaba97bccdef8dea000f0989

            SHA256

            bbb4f46723c6acd8442f979cac6932331ef631e86433f61a44573914a6b7ade9

            SHA512

            36467066b18164805314c1e02bef5bb153c7cb762d00010503f34df282e62626af784975b1e79df823b93d743ea21f79d8d482abd5c121509a2f24e97517b15a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\66ad63b45c3cfca02427911cf3906c225df63f69c7c2ae66dbdb68b17efc7d49.exe.exe
            Filesize

            684KB

            MD5

            50f289df0c19484e970849aac4e6f977

            SHA1

            3dc77c8830836ab844975eb002149b66da2e10be

            SHA256

            b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

            SHA512

            877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            2a82d5208360158b3c993c811395e0a6

            SHA1

            7b0769ce4994359e329fd2c93a8d4c7f6a311084

            SHA256

            9c8ff7750281ee54d8fdf3990659d7652c663fb986e029a791f8f051e3bf40f9

            SHA512

            381ab7e6f07b427f2a5a2b9cd5c5914fa45a5edaf70e622969156d7a1deed8c3cab70b55084799d4055ce73324cbdc3acad6b45b83cfcebb25f62354d732b51b

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2547232018-1419253926-3356748848-1000\_desktop.ini
            Filesize

            8B

            MD5

            d8dca68320777bb03e3a6dbdb7624c4f

            SHA1

            094cbdfea49743824e2aaf9c66082c25da2157b1

            SHA256

            ebe46a39e49fe879afd1b4ac0de5c6c62e8e90342cd71aaaf3ec1d84269e9c6e

            SHA512

            9097e8a3df0ae12235002caaef04951ab586d84ea9db1b9952e684b5ab570a033ba1bf047598fca329652cab23a5ec1516e6cd6dbcbd979fd32b9b8afbdf88cc

            Download Submit

          • memory/1156-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1156-2532-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1156-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1156-8709-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3148-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3148-9-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download