Overview

overview

7

Static

static

3

f477eddb77...44.exe

windows7-x64

7

f477eddb77...44.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    28/07/2024, 00:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe

  • Size

    99KB

  • MD5

    db68629a59c752586a2105e893d7f807

  • SHA1

    bb35be8cbb9c8f539c714a4147e4da39769310b4

  • SHA256

    f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944

  • SHA512

    e228f062370444dba1308e7c8d5165f025a73d38a6d1ca8d78b84497aa9f99a1d5766ee7831051c170ccfa569bcbdb3f7e99e32b8dcc037295ac880f7104099e

  • SSDEEP

    1536:HQae+Zk7qzUJBeLkbiT29dXkyapmebn4ddJZeY86iLflLJYEIs67rxo:HQae+aezUDbHXlLK4ddJMY86ipmns6S

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe
        "C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2728
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6F85.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe
            "C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe"
            4⤵
            • Executes dropped EXE
            PID:2644
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2636
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      484KB

      MD5

      7b714d463f7db900d5b6e757778a8ab8

      SHA1

      2cfc0e9f54236af8e10b0bfa551d87a20982b733

      SHA256

      c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97

      SHA512

      e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a6F85.bat
      Filesize

      722B

      MD5

      14cc21491be4146e3d5b4d8844bf5ba2

      SHA1

      e7f4b0e8c3f38d0bdf696a86258382e1f751ca51

      SHA256

      bc08bb20d87461f66708e017662de7b9f701cfd928334b41b613674417b88fc1

      SHA512

      f1f6639952bf267716e17bb0e2bdebe7534991b5e933db58cee577dbabbfd3dc27a21eb7e12469afc65143d00cd06bda811b7bed532e6bc57a687722801f2398

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe.exe
      Filesize

      59KB

      MD5

      dfc18f7068913dde25742b856788d7ca

      SHA1

      cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

      SHA256

      ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

      SHA512

      d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      39KB

      MD5

      0040a0ca5d99ddf58917a134d912e71d

      SHA1

      1a497605824da6f40f74a9aaa65406cbd6d3d6e3

      SHA256

      326763efe5647b45477b4c84c26464720e4ba03a6ed1084f9db4b0c017ff96bc

      SHA512

      76aedd078647935b61f32bf1cb7dc5869fcc1e5aeb8ce3fb1bd19d3ef7112959457156b64a0742685a1c792429733f5906265fcb4ddcac021aa8fab3516a63a2

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini
      Filesize

      9B

      MD5

      2f0334867e3b4f3fc6afab89e6c60c0a

      SHA1

      c85f48d89a0dbe33bb1bf28a7d368884324b2886

      SHA256

      9c5fba8c43690fbd1f61110096e57ed14154d1714fea48699bd35a1339a35baf

      SHA512

      ecb33a33a4301021c9977eceedbf47b567dba0b06541413c6ed19a5753eac29f5fcd7b0952535cfc3f911efe5d2827c797117b2a34640956591343690cc9e4fc

      Download Submit

    • memory/1216-29-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2596-4192-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2596-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2596-2681-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2596-32-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2772-21-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2772-16-0x0000000000270000-0x00000000002AD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2772-17-0x0000000000270000-0x00000000002AD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2772-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download