Overview

overview

7

Static

static

3

38a1b6d345...56.exe

windows7-x64

7

38a1b6d345...56.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38a1b6d3450929d69d2191e21d2f62f29e30a28f99e561121f8ca9b0cf299e56.exe

  • Size

    70KB

  • MD5

    c758781ba663c7e3085b8199ffbf73f6

  • SHA1

    5d6eb6a4b7e17a1c9e736d332e1d8a9ea2859bb4

  • SHA256

    38a1b6d3450929d69d2191e21d2f62f29e30a28f99e561121f8ca9b0cf299e56

  • SHA512

    2b97b8671d36ecc074af9be048242f6dd206df0f48abe6dbdb017f5e2377eaaabeb66aaf7c5d43e152ba9937e777927e4ac40192bd03cab440a3ad0e724b8ac3

  • SSDEEP

    1536:/BqQesrz8VuJlMXaDuiN3riw+d9bHrkT5gUHz7FxtJ:/Bqi8ulMXaK4rBkfkT5xHzD

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\38a1b6d3450929d69d2191e21d2f62f29e30a28f99e561121f8ca9b0cf299e56.exe
        "C:\Users\Admin\AppData\Local\Temp\38a1b6d3450929d69d2191e21d2f62f29e30a28f99e561121f8ca9b0cf299e56.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5064
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4748
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4356
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD86.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Users\Admin\AppData\Local\Temp\38a1b6d3450929d69d2191e21d2f62f29e30a28f99e561121f8ca9b0cf299e56.exe
            "C:\Users\Admin\AppData\Local\Temp\38a1b6d3450929d69d2191e21d2f62f29e30a28f99e561121f8ca9b0cf299e56.exe"
            4⤵
            • Executes dropped EXE
            PID:816
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3828
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3692
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3020
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      c8b196f5407ab63d8caf057e262a457b

      SHA1

      ce37375275204b5534bc8935435ae8e74d2c42e1

      SHA256

      17e8f6a079b4b85c7f5e744ad48d598978d673670864e23436837ebe06d5d30a

      SHA512

      ba07061e56bc827893ec47e7ca95a0fa0779fb26b2cb99fb4a990cd2e30fb90bc1c4ea9c720f8005315ceb3093aa5c405778c758ebb19e04e1d4cc7a5c58fa9e

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      e984536bfaf228a84e366f9e49733bd2

      SHA1

      515f06c205395a2f01dd4181d33314d0a37b3657

      SHA256

      19a7705d8e52b47a0ebbdb431b82829c31a862f30e0779861f032c13a5fa9a56

      SHA512

      6e344bd6f727aac64c0e4e0878d7a5b750880fdeb8c4ef9c2e78cadf82d6cea703037108f74b141af46680eefdcbbec0172da15d5c815d23cba2234a94798f64

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      f9bda517f882e3c2636d44cfa30c8ef0

      SHA1

      06822afcd175307e76db635fa14c80b4708458ba

      SHA256

      cb3149e29fc3c22b6ed7a427146780eb251e10b54153139535f6999b33037de8

      SHA512

      e6c867020f86944f79cb768de9a01c60c36bbbf2937cf8cecb096ad578d06a2a37a3976665f2063da1e3e3be62ff26b520abe26d442e084e0b496d5ab08e1050

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aAD86.bat
      Filesize

      722B

      MD5

      a17cac9b6df5a88a5fcbb7b6bb0d5f5f

      SHA1

      44fae96cb6a32f77312be453e7ebe3f2914e819a

      SHA256

      f7b940656a35856118853e2eef62c8b78dddb0aa132d2f1da3462dc63f6b98f0

      SHA512

      616837948beaf0f9556f408b7d4cb6368ee8a73f3850e7f6b08c94a99af474505f2ff353d145e0ee5a57525fd6cfe4303c8541a34cb436eb5600a4c8652874f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\38a1b6d3450929d69d2191e21d2f62f29e30a28f99e561121f8ca9b0cf299e56.exe.exe
      Filesize

      36KB

      MD5

      9f498971cbe636662f3d210747d619e1

      SHA1

      44b8e2732fa1e2f204fc70eaa1cb406616250085

      SHA256

      8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

      SHA512

      b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      63f3782c5c4e2474a184e3891df996ad

      SHA1

      727fa46bfd850377a4e53d9440aca6d573ad62a9

      SHA256

      025c4d9b205d7003c44303a47e8bdb7f4b2a50ff1e02d7d28be74f5371059e92

      SHA512

      ec501796a81c1f1f059e9e3f7882f184a9cf01af622f573f55c6ef4c1b3318a818aa93ebc8ecf358a948c39028957360588909255636ae296b6602bd8ba92329

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\_desktop.ini
      Filesize

      9B

      MD5

      ee6da0916e43a13c40e1dec936bccc09

      SHA1

      3c41c332d37b563dad6d1c8ccec540428eae35f9

      SHA256

      0259d8b67e15053053cf5d982948c58d2c6121d2f86b7aefa7c7948979c6e28c

      SHA512

      b70fefd584ad9b4f8c71125a4be5e157cdcbccec18c7f64d235d10c98d4c6005b9c8b6261221211b48f5ceec417792d34750b488f0e2a33dfd702e0094f625a7

      Download Submit

    • memory/3828-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3828-2674-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3828-9-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3828-8820-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/5064-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/5064-10-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download