Overview

overview

8

Static

static

3

3e28bb5378...e1.exe

windows7-x64

8

3e28bb5378...e1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe

  • Size

    964KB

  • MD5

    8f18e857d4f01df817d1947bdb13dab2

  • SHA1

    13aabb8f5d7548b655f2e5ce9fcd74e6befc6a81

  • SHA256

    3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1

  • SHA512

    5c0edb44b61723332bf15258595813b782e31d91af6d2656a978910ecc1734d5eaf5a89b6f52319e3c33cc796408a8f77310e3eae16cf8c1a4ef362eaae0b5ae

  • SSDEEP

    12288:b3WFjyRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:b3MvBpDRmi78gkPXlyo0G/jr

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe
        "C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1240
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9F2C.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe
            "C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2744
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      6fb2412477cabac72e28e557a90272bf

      SHA1

      97d195bec7379812acbddccf5e107006de2f293d

      SHA256

      dbc55816678d01752e6fdc3630c4de634948995572727cde9c295d5674638a39

      SHA512

      70581c45191ccaae3e529b58bbc1bdfc3e2f9e0096e9a6a4890e010c508d690930e7a2240ee4ee4e371a576625c00cddb903724273826d9a38b5a3231972b92e

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      e3d7f6cbc53a96972587f05acd5c0ca0

      SHA1

      e12f124807a30188da6157d4423775373c668dd8

      SHA256

      75db003d5fe6855e432e4ccaf8720890f181c3dc9d800b253508aebabfde2da8

      SHA512

      ea783b525ebf1fa786d06051e64c72efa9665aaaa0e456c99c3fb80298066491da47d9056f7046d35d4bb3165ac2ca85eac9c9a9331923dbf56937831a9bc078

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a9F2C.bat
      Filesize

      722B

      MD5

      d8938c76de768d18531a6f31d61084bb

      SHA1

      8f4cc133e84317fb4cba26a712793ec9b74e8d93

      SHA256

      811f6ea9c0176aaf95836ecd40efc9d95d97076c24ca85234681d89ab906cf47

      SHA512

      bd86d79351cb2b32a6cc66ffab44d548cc098d97abea39e7bcf8e45551df26fcd1cdbc0106ecf968deec9daea9ab9d735a8e3dad33b603e513a4b561791f2507

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe.exe
      Filesize

      930KB

      MD5

      30ac0b832d75598fb3ec37b6f2a8c86a

      SHA1

      6f47dbfd6ff36df7ba581a4cef024da527dc3046

      SHA256

      1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

      SHA512

      505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      abdd02f0a8e8a7f67c4d2d5f390afa09

      SHA1

      794385506aa739fc62b83035f0f08ed16fa43e47

      SHA256

      951e009adb8c5a2d34f5a9057b5a05ecc268b608c5c2fcfe2dee1ae4e1fbb5c1

      SHA512

      85087a798d497e24df7cbdc4090722528659c40285f1f02fd65ddecd9d0fa233625d0e56a3cebcc778ea74fa7919b969451831101cb247b926eb1f17204c3137

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini
      Filesize

      8B

      MD5

      646a1be8fae9210cfba53ee1aab14c96

      SHA1

      8677ff347131a9c8304f10b48012ebd8b075030c

      SHA256

      660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

      SHA512

      812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

      Download Submit

    • memory/1204-31-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1452-17-0x0000000000440000-0x000000000047E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1452-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1452-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1452-13-0x0000000000440000-0x000000000047E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2248-34-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2248-2963-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2248-4116-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download