Overview

overview

7

Static

static

3

6bcef1328c...88.exe

windows7-x64

7

6bcef1328c...88.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bcef1328c08c4e230768e985dacc9eac0e4bd4c31737f6f0bca4707a2b30088.exe

  • Size

    56KB

  • MD5

    5895215d77f4821b69b2b488688c8c9e

  • SHA1

    5cbbf497653682c996eb77eeeb15c0b799d81d93

  • SHA256

    6bcef1328c08c4e230768e985dacc9eac0e4bd4c31737f6f0bca4707a2b30088

  • SHA512

    54186b9bf8fd9118e7b2337c064858dd7cacff5b7471036c7ba8fcc54eff100bbaa89ee752681b89cc316f281fa6ddab8ca72a93a5fc2d0f81c09c32d986142f

  • SSDEEP

    768:FsPNpQFJFKZj1PVs9Ag1vzbExhU1GBRSkjirqgt6jpYU5ltbDrYiI0oPxWExI:FDcx1aeg1vye1MRSB6jWWvr78Pxc

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\6bcef1328c08c4e230768e985dacc9eac0e4bd4c31737f6f0bca4707a2b30088.exe
        "C:\Users\Admin\AppData\Local\Temp\6bcef1328c08c4e230768e985dacc9eac0e4bd4c31737f6f0bca4707a2b30088.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1748
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA5B1.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Users\Admin\AppData\Local\Temp\6bcef1328c08c4e230768e985dacc9eac0e4bd4c31737f6f0bca4707a2b30088.exe
            "C:\Users\Admin\AppData\Local\Temp\6bcef1328c08c4e230768e985dacc9eac0e4bd4c31737f6f0bca4707a2b30088.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2768 -s 124
              5⤵
              • Loads dropped DLL
              PID:2828
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2348
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2892
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      6569ba6a19dcf267363ead3e7d709a6e

      SHA1

      2e3a72272fb2b4a849f2fc443fe6bb0f17b03f9c

      SHA256

      da43031a617d4143466e60d648f6da2625e2f203ef46b255bfdc77ea4ed695ec

      SHA512

      83f15ab1ba1c44af699b980c830b775289e9b382e3142fd1392206372d20be555d7c40b7a3f8e5fda9d4d7fe508a7fe45cffe5b3929d7e31d9f3af7ce39942eb

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      cc0ad68e66fa1c78c1e3b0ed71a55263

      SHA1

      38ce29b51fde2a8fd1d3c663c5c98d8b18b38007

      SHA256

      536f02a2008e2e11502a3a3b573b641e5b377acd0f72ab2099a89adacec2fc1d

      SHA512

      59cfd05a61703d30dd0d454ba89c4f3453943d1d9664e7f8d13886561238863d7ff6fa33a7966518420b085a72a59c407add0f29265f8fd5fefb22f0eb159b91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aA5B1.bat
      Filesize

      722B

      MD5

      a7609c91fb7d4fa4d9de48590e79bdf4

      SHA1

      ee65f4652f9bb816801d4f08f6cb5263d52886c8

      SHA256

      3590e81aa17b5ff986bfd1015fc7cc5c71299ac7e451e627211396a3fc37a288

      SHA512

      bf4514adbd3ad9ca68a094236be2ddb5a2e51c685554784c3fbbd0fdb8b5a0ffde59abe522826e67c501b17709799e5b6439dd22e400c22b3dd5fd059da8b3d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6bcef1328c08c4e230768e985dacc9eac0e4bd4c31737f6f0bca4707a2b30088.exe.exe
      Filesize

      23KB

      MD5

      3f9dbfee668294872ef01b90740b01d0

      SHA1

      99a4702b65485cd14736b1c2cdfb81b455dda01c

      SHA256

      40b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86

      SHA512

      0113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      e66ec81a55072abc67e5c48adc2f771c

      SHA1

      b7b45b11de92fafe2ccd0c5a0a1a1d24991eba5a

      SHA256

      6a9fa6177b7f71bfa63a0274a9832d18bfecbdc663bf23e1580203a5456b8a90

      SHA512

      097f9f98618b195a7af7814e7eddba5ce1c25bd3a0d7818e79b4dfda1d6d20b08b0f28dec64278015a62fd5a3bf7495ae2d65ccfa1c48fc7a30a6eb3d9cd8287

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/1196-30-0x00000000025F0000-0x00000000025F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2348-34-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2348-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2348-3306-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2348-4152-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2380-35-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2380-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2380-16-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download