Overview

overview

7

Static

static

3

6dbea94b6e...b6.exe

windows7-x64

7

6dbea94b6e...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe

  • Size

    231KB

  • MD5

    a3d8c4a41ae0c3a179b556f80042eb28

  • SHA1

    648f27af25c6864fd6a7ffbc6b0bde8fc3bb8191

  • SHA256

    6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6

  • SHA512

    6f5560f94d65b1ae9a6286569cc7e090b81925ace14d0ae7a8d21389e6569ea47480c28953dcb112f198408072297e7d2e0c9a19ed73fa475afc993c69c92ad5

  • SSDEEP

    6144:WKq7MrnmM0AI0vgajRI0vXdBv7/PsqkyskssIsVAMjzIGGpsAsdAXAs+s3OT4Ch2:O7MLmNkyFj

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe
        "C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB99B.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe
            "C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4548
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1236
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1572
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$aB99B.bat
      Filesize

      722B

      MD5

      ce1cf47881c787841aca91ef73bce245

      SHA1

      66bfd4e51648c6e89030906449debc1f06348d00

      SHA256

      ea14188f336c554549f26b152ca4caa02fa644c43fa05ebcc22212ea1e30571b

      SHA512

      fc853f0c9abb64e4e69e4b3b3afbd0a440f6b25a1c7200aaed4dd0f463ea29b8c73649a531665bec3b4d5ae71cf1d98b5b417c11a82c56693902b3bda5efdd27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe.exe
      Filesize

      200KB

      MD5

      606f9f54c61edfbbbf285cfdafef6665

      SHA1

      5b1d7216098224c02e03afe818d28af6820883c7

      SHA256

      663951ef42367ce264436ee770118464ae778a61fb629408b7d5d716001610c9

      SHA512

      223d24295f574e1da2cc305bc261ba4081a3f0950158716598fb46f013f790026e47d376f6be82bfe60a113cf7052c7ca9ac26c138e858dbf57ca81753e4421b

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      31KB

      MD5

      38500feec89e9b79d00d91919aad402a

      SHA1

      8083d3bdb04cee3b5d3630890821b88bf3ca19e2

      SHA256

      c716df8a66f99bed99f31d1496556628be2548f5cd92dacfe5db50d95dc8f9b7

      SHA512

      292653a1f4632b06be9614604308e7ed69f87018a6433ec59151408363be6c137852966814232047a01205765e71d0c641b74a9ef50d2e73083c355376bf2236

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/1236-11-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/1236-5704-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/1236-8906-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/4752-0-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/4752-9-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download