Overview

overview

8

Static

static

3

8b1c62e486...25.exe

windows7-x64

8

8b1c62e486...25.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b1c62e4867a9f5099f72a48c8529608547c188ddaafe4ef2432275e42ee3625.exe

  • Size

    101KB

  • MD5

    e8a6343198b3f5e31796a6d8fd520920

  • SHA1

    c9b923ccd63d64ead621b9085da0aa96c962e270

  • SHA256

    8b1c62e4867a9f5099f72a48c8529608547c188ddaafe4ef2432275e42ee3625

  • SHA512

    26acd384b62b5583a17f5f44f10be417e32a81d37b5244cfb6a2ba192fc1c72a1d50c2fc4b3126d0af5226ae671cde82cc77f01a5c5b93795d0adb282e4fa8e7

  • SSDEEP

    1536:JC/aYzMXqtGN/CstC9qVFJWtwXaa8NPI9j+RedcP01ic4Brg:JC/aY46tGNFC0VFJWtwXwKRj1EBrg

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\8b1c62e4867a9f5099f72a48c8529608547c188ddaafe4ef2432275e42ee3625.exe
        "C:\Users\Admin\AppData\Local\Temp\8b1c62e4867a9f5099f72a48c8529608547c188ddaafe4ef2432275e42ee3625.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3392
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3928
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE80.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:972
            • C:\Users\Admin\AppData\Local\Temp\8b1c62e4867a9f5099f72a48c8529608547c188ddaafe4ef2432275e42ee3625.exe
              "C:\Users\Admin\AppData\Local\Temp\8b1c62e4867a9f5099f72a48c8529608547c188ddaafe4ef2432275e42ee3625.exe"
              4⤵
              • Executes dropped EXE
              PID:116
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2156
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:320
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1200
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4432

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            0ffb16d611b1daa68071fc21f317ad14

            SHA1

            2fd120012ad92d93c5088e8cea2ae9bacc782f2a

            SHA256

            02bdc27c24f46efadb6ed3f5e323b13b154108837a11538dd1ab2e573c473bc4

            SHA512

            b6841847df6596eba8f54e99dc30bca4b5dcb494310fb769222ec4bce52723a826f96f07e2ffcd0e5f7063c0c29df5c771dde0c160223e4be72900f0cc6d7ec3

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            0eec0543603f7a8ce8e8f5fee478e1d2

            SHA1

            f975d2b0358d8f138bdbaa04e433d85297f29c2f

            SHA256

            636c1c024e59354f13d9bb02fa8f3849112c4557ab790a37146b1c121e597b24

            SHA512

            cbcd9919c79180c43d588c27107dd04c04378da47df03cb27f072ee296e9c23a7690e3196b457dda14bcac96a38617f597c83a47a813a58c813f3affbd6a2a05

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aAE80.bat
            Filesize

            722B

            MD5

            cb76fa00e4e14f9644ed3f4c1bc7e03d

            SHA1

            152ecca17c432c2f1f99778a789a3d74c95aee7e

            SHA256

            fd52e96f50d7fdc9f0341144b086af8dbd191120ae7cb2a8282fa652aed38582

            SHA512

            8bdb27e697bc6708d8e631a500f2878c098b79e347566cb4396d30038f5858e451718cccd3a14e11e53eefc8bd103cdc10c65c0e268e259ff42de6390aeb095e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8b1c62e4867a9f5099f72a48c8529608547c188ddaafe4ef2432275e42ee3625.exe.exe
            Filesize

            68KB

            MD5

            48335cfbe6a9bdaa2492ca1320b70a3a

            SHA1

            6d3c3d659e3718a0b56f52c9d4386d55d7672b97

            SHA256

            4ec34f1d893e8cc02f669fb5eb329bbcc5374bd7e7284e8fd86fbc29d2ffeb4d

            SHA512

            9eaf3b380449ab1d2b4b6371336fc71f6a43eee0295de012d0859e7f3b80a87f9d8316b0e65d4ca450630ee17b95c64e79e594bfe27fb3965917b0c5bc2d1b58

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            c7d0ac4daba2130b7198471cd0b488f4

            SHA1

            1508a062f2e1ce932b6db4fef2506ac8d0531566

            SHA256

            e1c808d83a26f74b81dacc4e798c71ec055325ff7457111421b3a01f1b3286ec

            SHA512

            2efe378391fd72e21c43c1976956559dd525c67a33e98f135731192d74acc21fab5ed4a71859aa6a7d31436d0c612cbe95015efc0a01dd75e1e2cb96359d65c9

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\_desktop.ini
            Filesize

            9B

            MD5

            76853822695e9314b90b205b5517a435

            SHA1

            de6e48d84826cfcd19abbaa1ff3daddc8d825fbf

            SHA256

            477608616359abe01b8ca52b48468a243766d1cc1569a285e6060139e5cd91d7

            SHA512

            74fec6d54ce20fe2ae6ccf59b4fdf8b36d7e03b0576e7c6633c34ae3ceb7d2a0e0e36204cb76956e306ae263a779431df59aeb175a0a56750832c71a8fe98783

            Download Submit

          • memory/2156-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2156-12-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2156-2464-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2156-8842-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4936-11-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4936-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download