Overview

overview

7

Static

static

3

76d79b1dfb...51.exe

windows7-x64

7

76d79b1dfb...51.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 19:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76d79b1dfbaca0a8e2b595cb7fb54b75d76e077b7e0739a0b4980e15ef0d7a51.exe

  • Size

    76KB

  • MD5

    f2b1b656e3845bee75ad20ee6c53d713

  • SHA1

    3f339c96f4a607376589f49de5b919efee60e9b6

  • SHA256

    76d79b1dfbaca0a8e2b595cb7fb54b75d76e077b7e0739a0b4980e15ef0d7a51

  • SHA512

    dd526c0daf964762b4fd9a9a3ab502c4f6c46cb2ef44104a3a19d8764f5ede320ff6dfc2021ed9782350565798e0eae3198245c2ad596922c47ce4a11a675d88

  • SSDEEP

    1536:8qe+Zk7VJbwlYXjPrsqrZMYR5p8woriw+d9bHrkT5gUHz7FxtJ:8qe+azbRPrlr9RXForBkfkT5xHzD

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\76d79b1dfbaca0a8e2b595cb7fb54b75d76e077b7e0739a0b4980e15ef0d7a51.exe
        "C:\Users\Admin\AppData\Local\Temp\76d79b1dfbaca0a8e2b595cb7fb54b75d76e077b7e0739a0b4980e15ef0d7a51.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF74A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1908
          • C:\Users\Admin\AppData\Local\Temp\76d79b1dfbaca0a8e2b595cb7fb54b75d76e077b7e0739a0b4980e15ef0d7a51.exe
            "C:\Users\Admin\AppData\Local\Temp\76d79b1dfbaca0a8e2b595cb7fb54b75d76e077b7e0739a0b4980e15ef0d7a51.exe"
            4⤵
            • Executes dropped EXE
            PID:2680
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1832
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      264KB

      MD5

      aa99ad5fe8a2b939318f3e1873aa02dc

      SHA1

      49dec0ae7662e85e9b777b1017679c6121184e93

      SHA256

      609dd5638f19f0e0ce368aeba3fe47519e257629bbcb3b67cb67d49a28d7d936

      SHA512

      8905e379f79821856324aa34e339e0a0f5ff412ca49e66c88973d16a34ca9d4afd008e33ef0398fa242f622f26db8c57162df03e1afb550ce7d14f66dfc333b0

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      484KB

      MD5

      a803cec17e97a23f06f00bad17aa1236

      SHA1

      7a5c9795e740bbf318d745de0eb80adb7d74538d

      SHA256

      2846d29686b5eef885188d8c5dc0ff71e19a25d497490f99f99e837959a7b7ff

      SHA512

      ca0b62858ee4af691cd9dfa6c9325d4dbe1e2dd232c8f30e24156dc9560211666724e41e305467475760b80bdbed429887e2032191147c60504fb04e512ca620

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aF74A.bat
      Filesize

      722B

      MD5

      17cf56e8377651d7e78126415afa7ea2

      SHA1

      e1cc7601aa530b2b98f9bcd89cb9d37d45591d67

      SHA256

      3f9bad6161f1962fa58deb8ffc7f930ed3ef1e0ec0d07233e71cbed3dd3362c4

      SHA512

      0be916d7ac2db918767d5fbc460c549b67c5b8d10ba1fb5ea33cdc956d6fe0c9dee4e617a417c0884cf112f31bca8fb38724e9cbff7016fe73e9bdee771f6f6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\76d79b1dfbaca0a8e2b595cb7fb54b75d76e077b7e0739a0b4980e15ef0d7a51.exe.exe
      Filesize

      36KB

      MD5

      9f498971cbe636662f3d210747d619e1

      SHA1

      44b8e2732fa1e2f204fc70eaa1cb406616250085

      SHA256

      8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

      SHA512

      b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      39KB

      MD5

      d4eeafda355594ec7fccedaa6cb68270

      SHA1

      1376a572250d20841240fc84733d056151d11f4d

      SHA256

      4205b5468c6f7af8e0497cfd38211cae138276362c6cdfa658881183be976eed

      SHA512

      5b309b38b2856784391cf3eec3e5f90d6c724bd7d675b51de4bd08f663ae1f6d7b5777b1309094b845a1538238f8dada511fb70a485c879184d12dd566d1c2e0

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini
      Filesize

      9B

      MD5

      3b9738054ccca70c6388d7fff8327e1b

      SHA1

      6b4aad0674395fcb7f9b753812caaa48526909e0

      SHA256

      246c7ef25b50a6cf45e8608f299c75061cc26b42adbd8de22d9fb18d6454bdc1

      SHA512

      5f1cbd94fdfebec10186820b244fdc6922e177f8de4c049b3544ab101ace859f7ee2915635d5dc91b8e0cc8adca9a9388f7009a72b6ca2a3d35da4a6c923d8ca

      Download Submit

    • memory/1228-28-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2080-32-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2080-3002-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2080-19-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2080-4152-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2360-17-0x00000000002E0000-0x000000000031D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2360-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2360-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download