Overview

overview

7

Static

static

3

bbd2504697...41.exe

windows7-x64

7

bbd2504697...41.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 04:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd2504697ad6fdd890f68cb0b897f3dde8fe9f0522515c9e61d7f80eedbdf41.exe

  • Size

    66KB

  • MD5

    a66b34f3943c5968a749643c56829207

  • SHA1

    9f77478e616a919648ba451c18c2729732aee7b9

  • SHA256

    bbd2504697ad6fdd890f68cb0b897f3dde8fe9f0522515c9e61d7f80eedbdf41

  • SHA512

    a2c28d6b8f31e2e94138143a562d5f5aab33033145c4ba7ac56479144850c83ccde79f987a88bf8dbdcbd126e75a32d8a658af1c6ae74daf3f23ee9c05ffac9f

  • SSDEEP

    768:KjO5RroZJ76739sBWs69a7zKHOrEz+mKLtOWDh2KG6KzVSVxhMXYkUEt6HAkx5hN:Kje+Zk78UKUW92kKzs2Irj5hN

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\bbd2504697ad6fdd890f68cb0b897f3dde8fe9f0522515c9e61d7f80eedbdf41.exe
        "C:\Users\Admin\AppData\Local\Temp\bbd2504697ad6fdd890f68cb0b897f3dde8fe9f0522515c9e61d7f80eedbdf41.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3448
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA539.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Users\Admin\AppData\Local\Temp\bbd2504697ad6fdd890f68cb0b897f3dde8fe9f0522515c9e61d7f80eedbdf41.exe
              "C:\Users\Admin\AppData\Local\Temp\bbd2504697ad6fdd890f68cb0b897f3dde8fe9f0522515c9e61d7f80eedbdf41.exe"
              4⤵
              • Executes dropped EXE
              PID:4932
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:764
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3580
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1116
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4504
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1652

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\7-Zip\7z.exe
                  Filesize

                  577KB

                  MD5

                  2619e3c0fbc12352540cad64ececd6f0

                  SHA1

                  c762f722647a803d4fd6b0dadcd592b48fb4363d

                  SHA256

                  187cde823dd6b07ef0fdce5f94d6b0db1ebf34c66fbae7584cd6e57c801f1922

                  SHA512

                  96124ea7bec10e32c2c0d640cc7dc13a4cf9a8606a5233859c7eab1fa3072bf760ade07c70cafda1a77679a8af91582bf9db7098f156864889bbe1d3652f5472

                  Download Submit

                • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
                  Filesize

                  643KB

                  MD5

                  29bab5fa7dbfd951e1c8290a8f4c2ba7

                  SHA1

                  7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

                  SHA256

                  dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

                  SHA512

                  5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\$$aA539.bat
                  Filesize

                  722B

                  MD5

                  b51dee47fec4a2b2290c8d6d74ea7a78

                  SHA1

                  db1f4f50fbf9ad8dd5843be0ca4dc6a63029f833

                  SHA256

                  51ca932875045fdf07c0a21df71d45ff1a31d4defe4c24d909b82d195ad2b49a

                  SHA512

                  a35fb0885c67ed21703f37692b5fd411c3d01f18621bb073b0ca08239876b04a338f6aacc6307891354e94297c95886ccee1efc777891750e01730254225e423

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\bbd2504697ad6fdd890f68cb0b897f3dde8fe9f0522515c9e61d7f80eedbdf41.exe.exe
                  Filesize

                  33KB

                  MD5

                  97ec61761e1fdfb2f1d4ea4d221a43d1

                  SHA1

                  d6e1682a8dd967bdffe8c145731fb9ea1d0a3509

                  SHA256

                  1f3069b596484ffa16181226b07c67ee1cb0f41d191ddde7c02f6bb75336cc52

                  SHA512

                  7d34cc27dce09e2711d76f39c5f44525937ac15723aaedc303c154223f3ec42e6043374582614cc3067795781a2daf6ea8935f3f3b0a8747fa783cedf36090a9

                  Download Submit

                • C:\Windows\Logo1_.exe
                  Filesize

                  33KB

                  MD5

                  5910701a0a876d3bc74907c1eff1b580

                  SHA1

                  57ebb749a0c691ee683993fc9c456136d2afae40

                  SHA256

                  d78ab6d9a8574207668d5c80b9ed294b49d97645572247c3f93e41e9d2f8682a

                  SHA512

                  e03ca506d074e47bac87c2a7f111a7b41cc58ffe040c4d3bd6e78efaaa0231c6169f0e35d91c8693bf2f5f79b97ac46dfb7459aef1175db3fd811377d6a3a67c

                  Download Submit

                • F:\$RECYCLE.BIN\S-1-5-21-2650514177-1034912467-4025611726-1000\_desktop.ini
                  Filesize

                  9B

                  MD5

                  1368e4d784ef82633de86fa6bc6e37f9

                  SHA1

                  77c7384e886b27647bb4f2fd364e7947e7b6abc6

                  SHA256

                  57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

                  SHA512

                  3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

                  Download Submit

                • memory/764-11-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/764-18-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/764-5220-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/764-8899-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4460-0-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download

                • memory/4460-10-0x0000000000400000-0x000000000043F000-memory.dmp

                  Filesize

                  252KB

                  Download