Overview

overview

7

Static

static

3

f477eddb77...44.exe

windows7-x64

7

f477eddb77...44.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 00:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe

  • Size

    99KB

  • MD5

    db68629a59c752586a2105e893d7f807

  • SHA1

    bb35be8cbb9c8f539c714a4147e4da39769310b4

  • SHA256

    f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944

  • SHA512

    e228f062370444dba1308e7c8d5165f025a73d38a6d1ca8d78b84497aa9f99a1d5766ee7831051c170ccfa569bcbdb3f7e99e32b8dcc037295ac880f7104099e

  • SSDEEP

    1536:HQae+Zk7qzUJBeLkbiT29dXkyapmebn4ddJZeY86iLflLJYEIs67rxo:HQae+aezUDbHXlLK4ddJMY86ipmns6S

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe
        "C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4204
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA180.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4552
          • C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe
            "C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe"
            4⤵
            • Executes dropped EXE
            PID:4816
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3648
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3284
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4384
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4820
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1656

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            583KB

            MD5

            8aa20031406a157d9a93a456a0e0aed7

            SHA1

            4496609ed6c85dee1e31a45b49aa3455e691d5a0

            SHA256

            f57aa116f1956320282ba0203cfed6e35444b1998d2550955ad5a71f510862bb

            SHA512

            65360b5494581261af227d16113aa7232f781ddcb7a8b27074075001f575faf0b1c036df7d6374be4d02a57799ed1fab5ae431e348ea884c6deb80dcce45f15a

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            649KB

            MD5

            1ad09ab121869e9bedf81b1e82331d05

            SHA1

            21270e52207071b7d304acb7d776c9abba38c15c

            SHA256

            834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7

            SHA512

            4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aA180.bat
            Filesize

            722B

            MD5

            1ed37438d5eef90aa748a229fa57d5e4

            SHA1

            8a8095529ae9c2f82520e1cfafb4c7e0b4c961eb

            SHA256

            113e8f606690a8aa001344c6338c9ff99f25e4b842b5849d792d270cbbacc77b

            SHA512

            8006c22db834b9797752a1af969498ae714f7bd4547d6c0e0e151cab81a503b5fae0961b308e6da8eb0fc87f53f3afece89c2a5a5be5e73b46952e7aff8457cd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f477eddb776bcd22c0885df4cd9035525e0641f0b32491254b96be96d4f5f944.exe.exe
            Filesize

            59KB

            MD5

            dfc18f7068913dde25742b856788d7ca

            SHA1

            cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

            SHA256

            ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

            SHA512

            d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            0040a0ca5d99ddf58917a134d912e71d

            SHA1

            1a497605824da6f40f74a9aaa65406cbd6d3d6e3

            SHA256

            326763efe5647b45477b4c84c26464720e4ba03a6ed1084f9db4b0c017ff96bc

            SHA512

            76aedd078647935b61f32bf1cb7dc5869fcc1e5aeb8ce3fb1bd19d3ef7112959457156b64a0742685a1c792429733f5906265fcb4ddcac021aa8fab3516a63a2

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\_desktop.ini
            Filesize

            9B

            MD5

            2f0334867e3b4f3fc6afab89e6c60c0a

            SHA1

            c85f48d89a0dbe33bb1bf28a7d368884324b2886

            SHA256

            9c5fba8c43690fbd1f61110096e57ed14154d1714fea48699bd35a1339a35baf

            SHA512

            ecb33a33a4301021c9977eceedbf47b567dba0b06541413c6ed19a5753eac29f5fcd7b0952535cfc3f911efe5d2827c797117b2a34640956591343690cc9e4fc

            Download Submit

          • memory/2228-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2228-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3648-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3648-2620-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3648-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3648-8154-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/3648-8767-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download