Overview

overview

7

Static

static

3

8a92143c99...76.exe

windows7-x64

7

8a92143c99...76.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a92143c99d99fbacba72dafafb4a587c6b0f813e3277dca1a06121ef0efb676.exe

  • Size

    577KB

  • MD5

    4ced7bc7e35525db2bf7cc17ebed5be0

  • SHA1

    1297a9744f3cebfe6c29e1082c609780f611159f

  • SHA256

    8a92143c99d99fbacba72dafafb4a587c6b0f813e3277dca1a06121ef0efb676

  • SHA512

    d85610a5bfb9d0efaa094dfed1aaacbdc9680be56f0a562a1a56a3bf9b7cf26796a32d4804c6f8f566b7cb24ae3b6a7c3ac2aacf28615aae7b8559844474301e

  • SSDEEP

    6144:5hMHhE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQG:5hMHy7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\8a92143c99d99fbacba72dafafb4a587c6b0f813e3277dca1a06121ef0efb676.exe
        "C:\Users\Admin\AppData\Local\Temp\8a92143c99d99fbacba72dafafb4a587c6b0f813e3277dca1a06121ef0efb676.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6A28.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Users\Admin\AppData\Local\Temp\8a92143c99d99fbacba72dafafb4a587c6b0f813e3277dca1a06121ef0efb676.exe
            "C:\Users\Admin\AppData\Local\Temp\8a92143c99d99fbacba72dafafb4a587c6b0f813e3277dca1a06121ef0efb676.exe"
            4⤵
            • Executes dropped EXE
            PID:2620
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2672
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:532
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      7937a2a4f2851c48e2aa1fd50631089a

      SHA1

      83606e314170ee096176769b6479e009910503ea

      SHA256

      9cb1b2aa8adb57705a0464d1432b21c732bb527cc3a286611067c682b0f7b911

      SHA512

      ed5373cce1d58ca01354be93e7a71da3ac5b5f247a789d9669824dd119b967050592392f50c9f216200a06b1029a4a68d6d58764d3ce27ac4c21665964f66d21

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      6028470621a870e37ea49499b4044df3

      SHA1

      90f86d2b21cd3b2d2940c3b0066fd46680c4ff62

      SHA256

      8a4b651cc3b85bcec5f000ebba490795941af94b8680dd4876d35153d3242e18

      SHA512

      21927cbfb83b5e0b90c2baadba1bf845bee1e3a733447adedd29b143e1defadc79443661f0686a5d2549310dee27c1c3e442f3e22981d0b808436380655601a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a6A28.bat
      Filesize

      722B

      MD5

      5fa7bd1cf301d951d6bf7b37e70323f7

      SHA1

      78ee6bb62458d9bb6c15a24d94e3660e7fe181a5

      SHA256

      500786b4ba8b7d25c47edc05303bc6aad985f19124597a111884f8edea8fe939

      SHA512

      e31bd156eb2784acaf0b6f3ebf3a6aa77720e6d0b8950bdb2eb4300e1fa38cb4e3909d65a2920a5eb1526d9b797c1afba2a0ad7a8b9f2bd88e2e13263bb3510b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8a92143c99d99fbacba72dafafb4a587c6b0f813e3277dca1a06121ef0efb676.exe.exe
      Filesize

      544KB

      MD5

      9a1dd1d96481d61934dcc2d568971d06

      SHA1

      f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

      SHA256

      8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

      SHA512

      7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      7545e61bb76fb6c2f40eeabad162f2ec

      SHA1

      3e6a732284eec6e192ebbab1b42ee5da4b1d1c73

      SHA256

      e5ba33bfc16d228f5085a2d3ac4851ea8bb0655a921192f7e7f62957e1e3ac00

      SHA512

      012bc9b4841236f0a3173987a1972b44b68aca3c25c917056dbeac4e02c37dcca0b6bc89f9c99044bd1d2f748439ae3f0ab840f9b70c6fbc4b489ee169870f69

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini
      Filesize

      8B

      MD5

      0ae7e73ef305a1b74ccaaba2243fb811

      SHA1

      5b4f708cab0077b0e18bb44f415fd1b740d783f4

      SHA256

      6ead98403bff0a55dbcead4ec011589b3933764cd9a85f8da1a1dc68a1e13acc

      SHA512

      ec8cb0b16a419fbed636906b493cd9f906a4dd66e0683a6209e9e1f43ef276f7675b480f9c166e0cb7ed34f94cabcdee1e907cd37f26e03b004dd532941e1cb1

      Download Submit

    • memory/1200-28-0x0000000002500000-0x0000000002501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2628-32-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2628-19-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2628-2962-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2628-4155-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2852-18-0x0000000000240000-0x000000000027D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2852-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2852-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download