Overview

overview

7

Static

static

3

55e029a4af...fd.exe

windows7-x64

7

55e029a4af...fd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe

  • Size

    1.1MB

  • MD5

    4052774a9f7c6514ed83a76e091a9543

  • SHA1

    6013d9d0d8e048e9b8bcce58ebb4c026ba63d6d4

  • SHA256

    55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd

  • SHA512

    2675bd5ed1a1dd4802ced7536db854fd61e926c0701f44f8a5e6e13348fae14b18b873d021c356894cb96f990456db8e77d59ec82ae2086eedd0cb638435889a

  • SSDEEP

    24576:MbBRXT9T+w6zY8v5a2FZ7WDpk2Kvfd5nP6Wp8zrMBThYBjv:sBRZ6zY8/7WDaDvfd5iQ8zoBThojv

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
        "C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1892
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a770.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
              "C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"
              4⤵
              • Executes dropped EXE
              PID:2676
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2820
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2108
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1964
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2564

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            6d0d6e0e6b9c1f755eeee10305f199c9

            SHA1

            6bd5ffb0481f75d5edbb659dfc0c85f3fd1c9147

            SHA256

            fd93ab2b7dca5b0b769637aeec591fe865efa180d2f46625c80153dcb1ccfa6d

            SHA512

            eb15d0f478723e397ce4ca3ac36d6ee30066dd1139f5828efc1016db7a6e5632ab99dd72146091d0dd42409d5497619250ea718fccf3a9debf9ceed3a34d74b3

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            484KB

            MD5

            7b714d463f7db900d5b6e757778a8ab8

            SHA1

            2cfc0e9f54236af8e10b0bfa551d87a20982b733

            SHA256

            c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97

            SHA512

            e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a770.bat
            Filesize

            721B

            MD5

            3088649a7cf49f8ef2a4e544fbcb7bff

            SHA1

            eac7e84ed22894ccd0cc9837a4441ce9516265fa

            SHA256

            3f39b8cc4d66dbba9e12456f60f65c1453794d397ac916f167e744db5f22b7e5

            SHA512

            67cc14999eaf2f23fdff60f7eb85cf564d65fae0142740dfc91a2d2cb37ec3184be36066333bca1d10e4b7ae8488f0e8f2992d1a471aa30eecc230afa7a7da61

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe.exe
            Filesize

            1.1MB

            MD5

            f012ebe3b9f0c4d18b43076b68295667

            SHA1

            27ce582d305bf5ec574fd7edf39e1300783e9323

            SHA256

            bdff5163ff3787a7a8b6bb3f688e877c5fa10db2ad535bb9765c91e976fbcafe

            SHA512

            06ce3eceb42ca555511f55e85fe79441a4a8c70ad32c36a045560cb8449e44f08bcd9e938e9a11a0360c7363ba2fff4dd92b1a300e21e214a6d273009d8c2463

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            dd45e175b084f3e7b3923cb8fcb3833b

            SHA1

            e44896aa2e3e4a8ba6677fd10c4eac8315b3939c

            SHA256

            cff2b960d67366aedaec8aaa4388a3537000a7253a3eeef378d24e1a171a4f13

            SHA512

            562284581292c3965df7e1f95bcffa2047d9a9e42e863e32b9cfc7b289270db24ca1ecb004f26d499d9901c49c11844cf3868b93b4b704f30a98ba4b52824fba

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2172136094-3310281978-782691160-1000\_desktop.ini
            Filesize

            9B

            MD5

            1368e4d784ef82633de86fa6bc6e37f9

            SHA1

            77c7384e886b27647bb4f2fd364e7947e7b6abc6

            SHA256

            57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

            SHA512

            3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

            Download Submit

          • memory/1404-30-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1940-33-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1940-3002-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1940-4203-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3028-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3028-18-0x00000000002E0000-0x000000000031D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3028-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download