Overview

overview

7

Static

static

3

7f4a75740a...35.exe

windows7-x64

7

7f4a75740a...35.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 03:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7f4a75740a7803fdc0f562f236de088a7bfd635bde1ea7d393c9ee4039c5e835.exe

  • Size

    66KB

  • MD5

    57f96165491965febc86eaa504a68961

  • SHA1

    83e14239a7e3de7030899d76f1b26a1fe4bb3429

  • SHA256

    7f4a75740a7803fdc0f562f236de088a7bfd635bde1ea7d393c9ee4039c5e835

  • SHA512

    f09dd1fe6802fa10c5cee1dea516331200960ed001b35ee4ea10f9c1f14794bce0ac19f1c7116bb107a7f9e210e960784c363b818608a19606a5c205db60c467

  • SSDEEP

    768:KjO5RroZJ76739sBWs69a7zKHOrEz+mKLtOWDA8Ur9BWErx0YCPuRAj0U1hkp26x:Kje+Zk78UKUWWZoEV0JuRUFyMOaHQ1l

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3564
      • C:\Users\Admin\AppData\Local\Temp\7f4a75740a7803fdc0f562f236de088a7bfd635bde1ea7d393c9ee4039c5e835.exe
        "C:\Users\Admin\AppData\Local\Temp\7f4a75740a7803fdc0f562f236de088a7bfd635bde1ea7d393c9ee4039c5e835.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3356
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3988
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FBA.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\Users\Admin\AppData\Local\Temp\7f4a75740a7803fdc0f562f236de088a7bfd635bde1ea7d393c9ee4039c5e835.exe
              "C:\Users\Admin\AppData\Local\Temp\7f4a75740a7803fdc0f562f236de088a7bfd635bde1ea7d393c9ee4039c5e835.exe"
              4⤵
              • Executes dropped EXE
              PID:5072
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2008
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2112
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4216
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2808
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3172

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  2619e3c0fbc12352540cad64ececd6f0

                  SHA1

                  c762f722647a803d4fd6b0dadcd592b48fb4363d

                  SHA256

                  187cde823dd6b07ef0fdce5f94d6b0db1ebf34c66fbae7584cd6e57c801f1922

                  SHA512

                  96124ea7bec10e32c2c0d640cc7dc13a4cf9a8606a5233859c7eab1fa3072bf760ade07c70cafda1a77679a8af91582bf9db7098f156864889bbe1d3652f5472

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  643KB

                  MD5

                  29bab5fa7dbfd951e1c8290a8f4c2ba7

                  SHA1

                  7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

                  SHA256

                  dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

                  SHA512

                  5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$a9FBA.bat
                  Filesize

                  722B

                  MD5

                  e9cbfc5266a8889686dd8e2dfc411ba1

                  SHA1

                  5fcfe408e6ddc82a9a8a1f5d805384b63cb04732

                  SHA256

                  3fd993fca08cb449b8a3f0047a090a860b5b81aa60dac437ae861ba570718622

                  SHA512

                  df66b5ae17eb33ee10323817e39206c6b0f689ec3dcc30ce061649dd0be7a0108213ce7886f514ef3bff779e7c2d0dfde1762e36734c159e6fe93fb73015ef4a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7f4a75740a7803fdc0f562f236de088a7bfd635bde1ea7d393c9ee4039c5e835.exe.exe
                  Filesize

                  33KB

                  MD5

                  69b16c7b7746ba5c642fc05b3561fc73

                  SHA1

                  83d80d668dca76b899e1bf662ddee0e0c18ac791

                  SHA256

                  0deceb6b1b7a2dd1f13133ac7328ff420dad4610cee1fa7466e8e0f6baa39116

                  SHA512

                  6b8eebcfe5b04141640047fe468371ad02bb115ee9ef00260c0b33cfd56b142c2e01b3b1c6f07281aa57b1f3b9fdb1f1082fe5620f88a57b92d8f547267ef154

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  5910701a0a876d3bc74907c1eff1b580

                  SHA1

                  57ebb749a0c691ee683993fc9c456136d2afae40

                  SHA256

                  d78ab6d9a8574207668d5c80b9ed294b49d97645572247c3f93e41e9d2f8682a

                  SHA512

                  e03ca506d074e47bac87c2a7f111a7b41cc58ffe040c4d3bd6e78efaaa0231c6169f0e35d91c8693bf2f5f79b97ac46dfb7459aef1175db3fd811377d6a3a67c

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  1368e4d784ef82633de86fa6bc6e37f9

                  SHA1

                  77c7384e886b27647bb4f2fd364e7947e7b6abc6

                  SHA256

                  57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

                  SHA512

                  3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

                  Download Submit

                • memory/2008-11-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2008-18-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2008-5208-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/2008-8855-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4068-0-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4068-9-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download