Overview

overview

7

Static

static

3

9faf058328...f6.exe

windows7-x64

7

9faf058328...f6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9faf05832806269072a3a2511e4568f8d83d5b93b74075a19bef670e0fabaef6.exe

  • Size

    164KB

  • MD5

    8ec91fc6bf847cf20018483ae9a62497

  • SHA1

    2dfb3d334833d3a7ca2025e37746e38f6e3e4fe8

  • SHA256

    9faf05832806269072a3a2511e4568f8d83d5b93b74075a19bef670e0fabaef6

  • SHA512

    4049d932563c5b75733bca3c6a6c087b8128e3d666c98a2e63a062fed624abaaaca2c905c05e424604dc626d6e371697d13d00e1bf2f4437f2f2417019c18299

  • SSDEEP

    3072:BGhfZ4ZHUI899djmMGWBgh1002J8emEu3T7TO+9Z9sTOVrZzxVxU:ohMHyYWBW1Wu3rOOuOVr8

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\9faf05832806269072a3a2511e4568f8d83d5b93b74075a19bef670e0fabaef6.exe
        "C:\Users\Admin\AppData\Local\Temp\9faf05832806269072a3a2511e4568f8d83d5b93b74075a19bef670e0fabaef6.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:740
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3172
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8935.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Users\Admin\AppData\Local\Temp\9faf05832806269072a3a2511e4568f8d83d5b93b74075a19bef670e0fabaef6.exe
            "C:\Users\Admin\AppData\Local\Temp\9faf05832806269072a3a2511e4568f8d83d5b93b74075a19bef670e0fabaef6.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2540
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1840
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2968
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4752
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4488
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      5342b57842074900a2479ecc31b0c887

      SHA1

      a059b6ed9a47faa806d7dc33f158fd014feeb526

      SHA256

      991c5be6f687a53532b633e3c33a0781ca1a7903648823e96c65b86861672f25

      SHA512

      d1c0a3aa0e9f2d421dbfea1ca50d4879b6d666dc34e0f3894d763aded3d1258472fad2bf9370de6eb3bf52c46a246425519365e0c3cade178cdfb1e377f73345

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      b275b1350fca950358cfbc9abb0d5238

      SHA1

      c76500b05acf1788dd7ebea6a1cbcc3bed816ed2

      SHA256

      c058c96c5ea79103b1a97ed87ac8a7a298d9bb393da87158ea8aaad44c336f69

      SHA512

      d53c5411f0387dafbb0bb7c2a935952b4d37e3e766ba378d6f475b255eb0e0c7117f18d894af3f3395538526a9a9720f508abaa7b2c25eebfa2ca8c5e29b602e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a8935.bat
      Filesize

      722B

      MD5

      45b3c7d4a7cd6b146ef6da973984ee88

      SHA1

      9dc80849d6fc9d130904f42f2c94bc0368330eea

      SHA256

      5b6e3dd615e50ac547efa7748de0592400d4d75cd3442fcc1f7ab4f258666b81

      SHA512

      0ce244b6d7de2de3893dd52475d527fa8380047c94323d29f8ae5c52762784b29a0de7f0ed325961447fe8f0e6413be08c05f1a02b0c0b6982f966a9c59a06d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9faf05832806269072a3a2511e4568f8d83d5b93b74075a19bef670e0fabaef6.exe.exe
      Filesize

      131KB

      MD5

      16438a96a8adb85472ca72da04701b29

      SHA1

      b1f5ee8bc083804de4de820255107f6541c84735

      SHA256

      9291cd97d2f1b119438f16e97ea75119f19fd959ec5414e84b337530d692e289

      SHA512

      58f659a29cb34245a261b7666b1cda4b76f2df1039f3713dda6ff5a97c33b4cc273b110d10b4131a6a5c13897efcfa9a5ef3031e0e5fb14db1adc0ac1ef25dcd

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      9a635d7742531770203f6f2410d8a57d

      SHA1

      7b268f2e70322d4e58ef582f47a972438662357e

      SHA256

      93d3872020dc715ef5310a2ae5a00fc97f421c54150ef022383b28ce039a5211

      SHA512

      9fb2aefd4f9b9214f9b5cce5e7f604886992cf5b035c440ab0a2402497127e989b1f3200ded74679caa08b5c9c72f276ee186742ad86838e3265c26ee307963f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini
      Filesize

      9B

      MD5

      9810b812fea5407a7c6a6b912eab6de9

      SHA1

      653710a103c34c6d87e85d547de48561b1579927

      SHA256

      497dc92fb09ed6740a1e704ddf5f45daf1d330f0977aaf1142604be15753e7ef

      SHA512

      a23126d1624a391a08931a8f98ec9c26bc5bbe75de0f111bcdbf17b5bbe9bc6e748ca58e52c96fb9ea80509d5ad1c90bf1d92e472b08b2532321106ba1aca2cd

      Download Submit

    • memory/1408-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1408-11-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1840-8-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1840-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1840-3542-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1840-8793-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download