Overview

overview

7

Static

static

3

48486ac596...05.exe

windows7-x64

7

48486ac596...05.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 04:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe

  • Size

    400KB

  • MD5

    46b9bae9cdc0f3824c1f63a92db4381d

  • SHA1

    325f2d5884d24cb1357c1e5e8e9785824188a944

  • SHA256

    48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405

  • SHA512

    a3c5280804e7086af5a6b475a7c5eb8531f3c19c937c7567be8668d1d14de47a2b08ac11fde693d07cfb25cf65cba5725c24e27067a1bf9845539edb6c9f3f3b

  • SSDEEP

    6144:/b+aezsP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1mx:/b+aQahVy41

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
        "C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1936
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6A67.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
              "C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe"
              4⤵
              • Executes dropped EXE
              PID:2320
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2616
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2692
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:700
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:988

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                  Filesize

                  484KB

                  MD5

                  7b714d463f7db900d5b6e757778a8ab8

                  SHA1

                  2cfc0e9f54236af8e10b0bfa551d87a20982b733

                  SHA256

                  c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97

                  SHA512

                  e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a6A67.bat
                  Filesize

                  722B

                  MD5

                  b6741c3e6ca966f6111303a6700fffa8

                  SHA1

                  ae105ad303026ca5838912d48cfc827199fe2631

                  SHA256

                  9bab503ac80d49aba8384cf08105d9045169249dc0f583c3e048a8d90dac2df0

                  SHA512

                  9dfc41a35aa470a714153890f96ff7a12d0a38305c62eee0caf513915130bc5ae9e7622ce710260e8806b5a49df6b7c1693b7ee077cd04d36758c0702cb5a8fc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe.exe
                  Filesize

                  360KB

                  MD5

                  5fbd45261a2de3bb42f489e825a9a935

                  SHA1

                  ff388f6e9efe651ec62c4152c1739783e7899293

                  SHA256

                  9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

                  SHA512

                  7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  39KB

                  MD5

                  cbd6c62ce40b33dafb9c1c34daaee76d

                  SHA1

                  63aa66883ebb8481a9b8ad4bbd722cbf3cdaa7a0

                  SHA256

                  7b3963c7cb2db990dd1e1ede9a3c814015cb4ea4519ce5314a49f1c32e0ad4b2

                  SHA512

                  3e461ad05c6875337f70c5f8a570582b88a8f71ced918ef0a7907495037a4258e950738660fe397213c690023ef9ff7efa2d96b87de3df13a681c06d508c8722

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  ee036d7bfecde982d31263f77044a72f

                  SHA1

                  d575db536fac53ad7f9e8f28fbf32a34aaa54afd

                  SHA256

                  6bd2c0216839f407cec78332e286e5649b2f99169f532db4197696fb125339ee

                  SHA512

                  7fe9f2de5fb89d0f7d9ddd7a9196ac54c8d159b403a428ffaea985d6bcb73e8e98a9fe36ec4cd102aa76b37f96dcd5c7a2b1abd04634a3489cc3074b57914863

                  Download Submit

                • memory/1212-29-0x0000000002E30000-0x0000000002E31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2876-19-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2876-0-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2876-15-0x00000000002D0000-0x000000000030D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2876-17-0x00000000002D0000-0x000000000030D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2992-21-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2992-32-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2992-3348-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download

                • memory/2992-4196-0x0000000000400000-0x000000000043D000-memory.dmp

                  Filesize

                  244KB

                  Download