Overview

overview

8

Static

static

3

7e25d7cf82...22.exe

windows7-x64

8

7e25d7cf82...22.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e25d7cf826fa4a49ccf96fe8c2d021975a3fc660005312c6d44750e47f73022.exe

  • Size

    91KB

  • MD5

    56b8fad2fb044bf84c998befb032518a

  • SHA1

    71d46edc400b37af91cd422b37d65af8e3a05e64

  • SHA256

    7e25d7cf826fa4a49ccf96fe8c2d021975a3fc660005312c6d44750e47f73022

  • SHA512

    c4f8bb819be0930d5be4381fa4b351ad49f30755abe62b0d4efd2fe032b342559bc78d6b4618327531efde3e97c37e90e4777516d5d76924a3b11f4221c98d5f

  • SSDEEP

    1536:JGaYzMXqtGN/CstC9qVFEQwFxV7qjh3rmKPNIwW:JGaY46tGNFC0VFAAjZqMNId

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\7e25d7cf826fa4a49ccf96fe8c2d021975a3fc660005312c6d44750e47f73022.exe
        "C:\Users\Admin\AppData\Local\Temp\7e25d7cf826fa4a49ccf96fe8c2d021975a3fc660005312c6d44750e47f73022.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1996
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a13D1.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5000
            • C:\Users\Admin\AppData\Local\Temp\7e25d7cf826fa4a49ccf96fe8c2d021975a3fc660005312c6d44750e47f73022.exe
              "C:\Users\Admin\AppData\Local\Temp\7e25d7cf826fa4a49ccf96fe8c2d021975a3fc660005312c6d44750e47f73022.exe"
              4⤵
              • Executes dropped EXE
              PID:2072
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3684
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2216
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4396
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4316
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3368

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            a41dc33df605c8bb3ca1e9dc1c81e635

            SHA1

            8e94038d148d655fcd598b32efdc814d14dbd3ca

            SHA256

            85222d43b52a94bb74682fcb8fb21dac953e8306fd200c5972b69092d36cb21d

            SHA512

            2e4eeeac5eb60f6dc71229acd7a750e4f625980eae24ec1fd444d6cbc3989dda8c45b025d09efbd60ebb9789c77c25c9052cfabb63df653c4baa942debe9904e

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            a2826e6d1bd15b17ca4cef72a238333d

            SHA1

            0924110e71f599e1fa2bf0dbd5e97390210dd2b6

            SHA256

            f015f7d8ed4d7766c57a3f72eca421aa9930ca94738bf8b2e36bc81cdfc8ba49

            SHA512

            4f545c989135fb418d8966f9703e9e4b2e4c17be18801681162a73e3d7a15fa657b2f8743b796feeb51b2cfcd6917bc1867d8b64b80ab8ca604983ffcc322a61

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            0eec0543603f7a8ce8e8f5fee478e1d2

            SHA1

            f975d2b0358d8f138bdbaa04e433d85297f29c2f

            SHA256

            636c1c024e59354f13d9bb02fa8f3849112c4557ab790a37146b1c121e597b24

            SHA512

            cbcd9919c79180c43d588c27107dd04c04378da47df03cb27f072ee296e9c23a7690e3196b457dda14bcac96a38617f597c83a47a813a58c813f3affbd6a2a05

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a13D1.bat
            Filesize

            722B

            MD5

            87b4948f9c71b7aa4291d3aaaf9efbff

            SHA1

            91dcc36ef8610ec52499fdd7382b7b13e0b2601d

            SHA256

            aab8e809c46fad2f3032e0e61940d7797e4b1c337920b7e115d10f4a40f9a828

            SHA512

            8613e41bdf4b1f8510203ee7e953ad9f55b4b8aabe1c7c1e176183374cd17cbcdb0fba24d71ea7fe4fa3469dd186ccb86e77b5044e42dedf38eedf7cee2e7ca0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7e25d7cf826fa4a49ccf96fe8c2d021975a3fc660005312c6d44750e47f73022.exe.exe
            Filesize

            57KB

            MD5

            fa71e60855b37c3c26d9ebbb52a0c3de

            SHA1

            e608fea1cd4d5a34d7a86ca4e64d1db67f539f29

            SHA256

            5122bb9ce0e46f847cf1920c4e2fcead16b3101f6f03d3225e92a5f80a2f1c1c

            SHA512

            1b8cc9b37c24c9a5661e26cfb162fd1cb6419a4beb472bf100f4fbb61dfe9c353e8d3502af3d9a55d44a5f07dc0bf49412d5ca0d0d20fe466e3156ad1a88886b

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            cf75cf09f1253bd8de91ec95294942df

            SHA1

            c18b6ac531842109a7beae169137218d6b5bf9c5

            SHA256

            9c2e39989d8f9be1a0d6ed878eb8ae88f54798cddbf208c4ee0712e30c55090f

            SHA512

            31d09d0360a9aecb09a296eedf6a3aaa83e77643d509dd088efa4887586b1b90f97ab59cd83570849e74f9c49cbe02ffa46b1d0601400afe0393098579c72d0b

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1403246978-718555486-3105247137-1000\_desktop.ini
            Filesize

            9B

            MD5

            ee036d7bfecde982d31263f77044a72f

            SHA1

            d575db536fac53ad7f9e8f28fbf32a34aaa54afd

            SHA256

            6bd2c0216839f407cec78332e286e5649b2f99169f532db4197696fb125339ee

            SHA512

            7fe9f2de5fb89d0f7d9ddd7a9196ac54c8d159b403a428ffaea985d6bcb73e8e98a9fe36ec4cd102aa76b37f96dcd5c7a2b1abd04634a3489cc3074b57914863

            Download Submit

          • memory/3684-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3684-13-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3684-3250-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3684-8811-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4660-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4660-11-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download