Overview

overview

7

Static

static

3

3198a7fc05...d5.exe

windows7-x64

7

3198a7fc05...d5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3198a7fc058f2b4f1c788339735a180924ae664f538cf8d77190392d968774d5.exe

  • Size

    446KB

  • MD5

    9beca891a23db3c3307a7da1935c8fdd

  • SHA1

    98c15e9ad4651472a79b67a035e832f11f78b801

  • SHA256

    3198a7fc058f2b4f1c788339735a180924ae664f538cf8d77190392d968774d5

  • SHA512

    db918247ad7c71192d9f49ed36fecb29f0e43dfa2003c308a26bbcd44a93a350d640f75ecbed044f0fdb8677f92c63a6a9c66d2fec920f9e3af3550d09ae4322

  • SSDEEP

    12288:AZA65XwlYgrHy6V17kr8+m73q+pgkxzdxRlabQYtCAZ5cIkKix:AbwlBrygOW3q49ldx7XIa

Score
7/10
spywarestealerupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\3198a7fc058f2b4f1c788339735a180924ae664f538cf8d77190392d968774d5.exe
        "C:\Users\Admin\AppData\Local\Temp\3198a7fc058f2b4f1c788339735a180924ae664f538cf8d77190392d968774d5.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2712
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF41F.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Users\Admin\AppData\Local\Temp\3198a7fc058f2b4f1c788339735a180924ae664f538cf8d77190392d968774d5.exe
              "C:\Users\Admin\AppData\Local\Temp\3198a7fc058f2b4f1c788339735a180924ae664f538cf8d77190392d968774d5.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1712
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2572
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2644
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1096
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:348

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            5dfef424a369872e3e0519f1d06d420c

            SHA1

            0bdd2c7aa394be8c9f12313df532f603a4103d8a

            SHA256

            fbef399e93395ab45cdb631833b95a53576ee961fa7fd30ad3b4cc9ccf5fd05d

            SHA512

            2b549147dd1d5ee15072559fbd65d2c1347d652e1ebfd662b85d19b3de643102686a480113e9ac7cf6189185f11737716d0570e5bbbba19ea93b7c3dc5bf54c9

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            79d96b6a2771e7783309bf05ebe7b5c1

            SHA1

            b19da11278224b17598d5b6de189892a83196708

            SHA256

            eb38a47ec49f3f376f53aff58def8c3a0e095bad67e2887d3f58bb4a3c71a19e

            SHA512

            72e30060fd922fc37662d762bc647bf85938986d810057926fe86a1622e1b05fc841bab9ee06ee7855071ed27da3d8fe20d41f03ae68c4c76cc720a7e56d4d68

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aF41F.bat
            Filesize

            722B

            MD5

            274b3219c7515045841f63a839c0eeeb

            SHA1

            4361fc8fbf2e4b7ee9f0d8075b7ec7fe932e3574

            SHA256

            06df1a33dc86f3598579b45532325a8fbb7484a4c17f29207a0076ddd9800875

            SHA512

            947a2c8bc6af216e64712d2a45001f788639f4ac2db2c1353ed48112a3bcddb259eb85385b8b281c10010e7ab103771df68d3de582085da431cff9aa09ec077d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3198a7fc058f2b4f1c788339735a180924ae664f538cf8d77190392d968774d5.exe.exe
            Filesize

            413KB

            MD5

            61f00cd504821ba3727f40ba91c0aa38

            SHA1

            1923a6331cf73dde5af1cb5573f35d9cce3a86b6

            SHA256

            7d317c9d43001251d8ba8ad9c81d2959e8a8030927ff3b7ed6a3b91840409552

            SHA512

            f1efd9094f5a6a14e19b2e418605c65be4fc0505e231072503786caefb42651ff9df2d3504c7bb84373097cc25651e495be85003ae45e81bd5e0ce22bb489935

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            c4b91a17133b7841f37ee4afa540f6c3

            SHA1

            4902b5453a7e99b436e15fea0eaa9739a5d41230

            SHA256

            e54a8a23a74ecc401a8263b743c050e0eccb7ceb7724993336572e2e9349046d

            SHA512

            3824045edd6c96d24d8cb026089eb56bf88ab24bdf3c163a699a3976e6ece053a0cb2e2e77e8de3771f850f4ecbf702af8e902cef04b20203e5323c592c0e86f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\_desktop.ini
            Filesize

            9B

            MD5

            2efce5174bcf8d378a924333f75e26ad

            SHA1

            4fe6e1d729b55d42eb9d74aca11b36a94402de14

            SHA256

            04ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa

            SHA512

            24684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16

            Download Submit

          • memory/1184-29-0x0000000002D40000-0x0000000002D41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1712-32-0x0000000000400000-0x00000000004F4000-memory.dmp

            Filesize

            976KB

            Download

          • memory/1712-25-0x0000000000400000-0x00000000004F4000-memory.dmp

            Filesize

            976KB

            Download

          • memory/2788-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2788-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2820-24-0x00000000024D0000-0x00000000025C4000-memory.dmp

            Filesize

            976KB

            Download

          • memory/2876-33-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2876-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2876-3308-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2876-4151-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download