Overview

overview

7

Static

static

3

08a50a2765...21.exe

windows7-x64

7

08a50a2765...21.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08a50a2765e00967dfee200266da665fcd91a670f03b7320240c155c9c4a5d21.exe

  • Size

    3.5MB

  • MD5

    da09890d7cf85c7e72c321b7795437a8

  • SHA1

    d1125d307bbc58c04ce931cdfa83c2f3ba1e69b5

  • SHA256

    08a50a2765e00967dfee200266da665fcd91a670f03b7320240c155c9c4a5d21

  • SHA512

    52a288f5e4480c7bf32c0493439c60696f731a456b7b7fd00584112275cf7f71c79ba04b4138c5feee759d3a1ef21f57e5bd9c72bdbc129aacdb9816d3dd9900

  • SSDEEP

    49152:vBC5tzuM0S2S5mLFEuVebedv9uNBb8AftK9qrO1LS9RhSq15vTNuHv/QXd9CQxMo:vkCFk/fUqrOiOc5z

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\08a50a2765e00967dfee200266da665fcd91a670f03b7320240c155c9c4a5d21.exe
        "C:\Users\Admin\AppData\Local\Temp\08a50a2765e00967dfee200266da665fcd91a670f03b7320240c155c9c4a5d21.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2704
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a142C.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Users\Admin\AppData\Local\Temp\08a50a2765e00967dfee200266da665fcd91a670f03b7320240c155c9c4a5d21.exe
            "C:\Users\Admin\AppData\Local\Temp\08a50a2765e00967dfee200266da665fcd91a670f03b7320240c155c9c4a5d21.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2552 -s 128
              5⤵
              • Loads dropped DLL
              PID:2568
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2808
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1056
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3008
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      73e7e4d64d7a01f7e8df598641540111

      SHA1

      8104ed53131db904b94106abb83ffcb9693dffbc

      SHA256

      335e21eff92c60c2aaad42dbca6076e20ac1de9d8ed5fab0ccec6775a668270c

      SHA512

      839540049b9d4eb31d9681a1cda73e6d5f4c608c27e1efaead55dc80fde9963d473bce2ca8f72a7e753042c1fe60934af9fe7b1c1c40fd864c5bc7e9ce8d2598

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      cca83bbf5782b69f2b55fb941c4d5b14

      SHA1

      db61bf16b63cf2f336089100add5e608eba10614

      SHA256

      462539b52a7f88960d280083fc7b25639e97e860b329c7ebd3ed356254a0079a

      SHA512

      a0833fdc5a6611f8b81b0265da1d6802245535c3246342252c3bba3680c9b3f0a0c916ba02b3ab26faaa5c4db1c88a8d9ba9e4bebd4be06de095c82adc857e3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a142C.bat
      Filesize

      722B

      MD5

      e71cb88feb145c759a031c0279a02911

      SHA1

      7e2acff5a65a38158ef0d8c4527a8c0d03ffd674

      SHA256

      3b310db9e192940c42417fb16af6c82af35f035600f0d2e3a5ec18759ab39c07

      SHA512

      82c6c58e734a35cb79800458ecb1d8d931a4488f930da123bb0e000c7156e498868d6083d4fe2e58acd8a512babe5974a202bf5bec98dd75f3fc115137215759

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\08a50a2765e00967dfee200266da665fcd91a670f03b7320240c155c9c4a5d21.exe.exe
      Filesize

      3.4MB

      MD5

      cd53c61345139dd549495633c7195a9d

      SHA1

      2f2ea5f17f724e08f2d965e591b61e0daf310487

      SHA256

      2b2538d62a3d95caa1eaaf402dda55e9b0dc66e5a0b8f6c8fd3042550e48d56d

      SHA512

      006ea7fc9f7cb6b7312c4431ba631a528654bc5c111561cb884b165176dc70dccbb7d72e132b38ce599156df6ffa31476b69fe6dd095a3fef2f93b7ef5208124

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      7e619692b53866243cf3f4bcd669d555

      SHA1

      5a8429b110acd43c0ddb3f101eac0bf55afb402b

      SHA256

      d33a86247c1731fc2f4acd320bd281542e708ae43ffdb05ee62a89f50bf034ff

      SHA512

      e7d65a2f4fa9e54b2f3445cc3c51d2e442e42ea1132b77c8fe0abf67052eb75a32414e02b10cd172e62b84996898c7dffa1e88496a1b5441dd3fb5059a320421

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini
      Filesize

      8B

      MD5

      5894100cc85ef83f995c15a4d7fce813

      SHA1

      55d61ce36a76e549348eff08abae3e32e96b8123

      SHA256

      4912abab5bf4a890230f6c060bcae7827f96d9ffcf6025852967b53a65fc315d

      SHA512

      248346b25ea49cbaaa8bbd25f2fb26ad59c3f1ba650efd4e9eda9b32d1e918292bab3e5f1b19d92543d416cfe9d8a0b49d09f1eebcdca085a031e8238d461655

      Download Submit

    • memory/1200-33-0x0000000002600000-0x0000000002601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2648-16-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2648-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2648-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2648-15-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2796-36-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2796-2691-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2796-4194-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download