Overview

overview

7

Static

static

3

Virus.Inje...13.exe

windows7-x64

7

Virus.Inje...13.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe

  • Size

    562KB

  • MD5

    71d804c8cf876e65e93d58c79177c313

  • SHA1

    41f12a009ee03714125acf9ef810d00d0d663e57

  • SHA256

    51ed0ccf2ee16871ab39c8631be12f3f077c5bd9b62eb4951b3695e238c2468e

  • SHA512

    0f45ed09d3c57a28b6dd58d542fdc5ebce02a734125d2ed53f433135a338b2563d56054d4f00632367cc8aa710b51ee9fbb6756cbeb3f8db705d9145b3c2800f

  • SSDEEP

    12288:I+aUc9iJafmm2VYK+UNo0RweQfoAxHv9sN4A4H9J618UtQ43iUa:IBgVm2VZQwy9E1Vf3M

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
        "C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4692
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a952B.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
            "C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe"
            4⤵
            • Executes dropped EXE
            PID:2196
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3516
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2100
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1972
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3660
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      3395b30fcc0d6523ea46f137be48c8c9

      SHA1

      df2094e08af0afba34a5e31342517ffd807bf3fe

      SHA256

      3b0c9dbe5393654bacd3cb1f0a10b45da8c4116aabbe5fc540c37ea51c5677b8

      SHA512

      2a96f84d9932c1f0291bd6311803e0d8353039536f86de8a1351c0820b447b4e87de5563a482a1f60ba63efff81609e35fb20b42c497fbc523d53760e795063b

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      bf7572c3ba3c8b5ac53b6d5f5b0908ba

      SHA1

      e3086473496515e05f877f452b868f93d8d48b74

      SHA256

      c14fdb68393fb3709b09f03577d012bc842c1b7f8387a837ae0deef83a4c5602

      SHA512

      6d0798d00218301bb4e3fc425b996372f77fcea25e2cb20355a4928b564bfc17b8806eb0772458958bd3641391bf98edcd6c2da46e72e9fbb0012ecf1b728ef4

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      29bab5fa7dbfd951e1c8290a8f4c2ba7

      SHA1

      7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

      SHA256

      dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

      SHA512

      5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a952B.bat
      Filesize

      728B

      MD5

      0934c8c3a885d86973c1136bf7e53056

      SHA1

      a527bd60144c8b0979ae7134479c23c6545d8dda

      SHA256

      34a0a9bc5110bc0f0acd719eec562b18a6c773544ab3b80e6a40d008b4a09b90

      SHA512

      275f87a5cec2bcfc85fc97473811f345ac7dbca1f93c2e6f64e5dd2b3c5caf1a112b275b479c159bd9dab562f5aec66146a706a92628e448f4e2531f4063a8e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe.exe
      Filesize

      529KB

      MD5

      cca0c5482b8a6a275d9d49433f435dfa

      SHA1

      a72ae8621386e13c34055f612ae7612b8a18a39e

      SHA256

      6ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365

      SHA512

      b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      8db8f01ff3888c1cf7faa0d7bee56fac

      SHA1

      2e67943b7b89ed681aad28d547f5fe105b8d6bbb

      SHA256

      ec7ddca76eda53f8cd5276c1300d78e1ac0e29c6eb14d95f0e6342ad97acf100

      SHA512

      e87cca7c2892bc440f2d9a7de9935395a17726df780e56feb861d3219a8586993bd7b95f610609c589ebc694469eb1213d5e39986a90b83a48f5475ed3da547a

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\_desktop.ini
      Filesize

      8B

      MD5

      24cfb7e9169e3ecbcdf34395dff5aed0

      SHA1

      64061d8b0afd788fb3d2990e90e61f14010896dd

      SHA256

      e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

      SHA512

      a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

      Download Submit

    • memory/3516-2800-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3516-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3516-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3516-8880-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4692-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4692-10-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download