Overview

overview

7

Static

static

3

48e391322c...d4.exe

windows7-x64

7

48e391322c...d4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe

  • Size

    11.1MB

  • MD5

    7135d7c900dd00c4667123138b426040

  • SHA1

    cb3d1bf4c8363f7727de0588bb3c609e76149630

  • SHA256

    48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4

  • SHA512

    3e534fc754afaa8e00e886363f4f28b286a5888056fa4536eb0f0fd33816e2391aa5e803aaf1641a6e34238551c113c398c39574d35d119e1535df22225193fe

  • SSDEEP

    98304:8b+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:2+kIGv3y/x+KTbfjJ+kdnAlejY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3580
      • C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe
        "C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4392
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF87.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe
            "C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3796
            • C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe
              "C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe" --type=collab-renderer --proc=3796
              5⤵
              • Executes dropped EXE
              PID:3732
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5088
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2420
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      cd7d05171d468d967fffbb89347be613

      SHA1

      44e0ed558530a96b6489b11990e1b04d46eda699

      SHA256

      25fff69c58779b78bdff60bf25e0396ed487e48dee610833f7427ca293721019

      SHA512

      d9c534f48901f1a70772d06aa1ad119d08e1a6efc8c10f17a7be2a9d76711a3caaaea15da089546ed01cb8c4a4315868bc80dd0dff3567a19f430f8b155256ac

      Download Submit

    • C:\Program Files\PushSubmit.exe
      Filesize

      320KB

      MD5

      68f94a2c96aee4c468243e8327532937

      SHA1

      e80cbb31d7e92a365695eedbbcf5bc33ec1bbb0c

      SHA256

      29716855747208ae812f6b31423b8c120240fe566e39bced268ce2aa6b22f324

      SHA512

      161c055e5284d10f4ad74a5c6c14585cf35e853d98af8096c2d626782ed9b572a16f2940a1740e89fe4ceeff52eb5e955c4e259241486911222778d492b1498b

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      c08994604c02bf7431e4c46295a779d5

      SHA1

      7f526582e292083589253bbc8b2cd093b2229ff2

      SHA256

      218bfecab8804a634b05ebcedc30eab7aa8fa8ed5775495ba9545517c311f00e

      SHA512

      13d9b746d0fe6922ecff9b5bf0ac896a63da11610341d4a7701e2a8d8fc5c0511d7bd9f4f54d3756b770998601b4f7b39b7e5c36d824dd42470fb0b499065c34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aBF87.bat
      Filesize

      722B

      MD5

      4540731953f4661370c8a5cfa36981b7

      SHA1

      c205e16c5f50c4663f60264368a064242602b6b0

      SHA256

      1198119b813267a87f824a67fc5f30882d7f6e0545350290c0991b5695ff7063

      SHA512

      1db36da9dd06919aaf4150cdfe37312cd868508dcb4aa37779c9a10dd20ed7c471ce781341f93bd9b4f97c4808efe3d6bc79d3ecedc190bc32a830d524b84a32

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe.exe
      Filesize

      11.0MB

      MD5

      b45b7bd6eb92c5b65378d8d0a0964747

      SHA1

      5ca6f198ac83c90496110259b57ff4a5f47b64bb

      SHA256

      5f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0

      SHA512

      bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      acc875481830dccdda351ec15db601bb

      SHA1

      f03af1ee9a3368c71b0d46586d700ce1d39fe9bb

      SHA256

      ac544e154655a153a03c5f3dd52645c30d12c3ba6886c8b037663694748491ab

      SHA512

      e2564a8a9e7a8ddb78bc7541d0648c2b42185e7c06b63145a07f50871435f97cd6c691180e4ad900646a4a4a936981b6685934f6d289d6f013bca1ff975f1336

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2990742725-2267136959-192470804-1000\_desktop.ini
      Filesize

      9B

      MD5

      ece8e24737d1957fb4e94d8890ee8d02

      SHA1

      6c79bfb99f560a2102a903116f5a0c195f7885e4

      SHA256

      d920366b3c62a677cf0cf1f267a7c2f3dd693f2ff60ee023091bf9c39c5e30b8

      SHA512

      ccf58b4da1ad1379a546f307bca8dc4452a61a3cb443814f4d9566b8d8d35cc9d794ada4d1a13296ed5bc0248ba5ef538e5dc5e22861c2ead3f479beeb5c2d37

      Download Submit

    • memory/2572-19-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2572-2510-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2572-11-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2572-7941-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2572-8866-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4852-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4852-9-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download