Overview

overview

8

Static

static

3

3e28bb5378...e1.exe

windows7-x64

8

3e28bb5378...e1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe

  • Size

    964KB

  • MD5

    8f18e857d4f01df817d1947bdb13dab2

  • SHA1

    13aabb8f5d7548b655f2e5ce9fcd74e6befc6a81

  • SHA256

    3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1

  • SHA512

    5c0edb44b61723332bf15258595813b782e31d91af6d2656a978910ecc1734d5eaf5a89b6f52319e3c33cc796408a8f77310e3eae16cf8c1a4ef362eaae0b5ae

  • SSDEEP

    12288:b3WFjyRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:b3MvBpDRmi78gkPXlyo0G/jr

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe
        "C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:464
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA613.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3572
          • C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe
            "C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3936
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2444
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3396
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2340
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      b068d503b2cd3062f2a26a2e27323fda

      SHA1

      de3a3d56f226be127d20b3621071320fc6229833

      SHA256

      a42da88395245f6ec28c8c4e7dfa43de5a066bf85330b1acfdd9c12c232352b1

      SHA512

      601b3716fe51fb12b50ca6a2668b8a3fd847fa1e70e69962a28e2271fd2c09e3e27e67fd4d4a284500fe9e48b4439dacae26087671cead321385452b5d07a302

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      7f30a4ea4259d5daca6ae711700efd55

      SHA1

      adb836123dc90ea07485dbe49b053f11de67d887

      SHA256

      20461a8ad8699166a9009c2248de1b7552de8141c3580efa221a4dd601b6f31d

      SHA512

      0cb4bab7ccae61656087d4f84e24ab974c28998081b4c3dd2c211a0c8e8fd3d8ea824b537121c0ef5eec11145dacc7f63b1e9fa45c278a7d8e17e295b8cdc349

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      b683d08031e54ea6942378775fcacdf7

      SHA1

      a2e7e8911ab44ce6e768058d02e2d68a8b093c7d

      SHA256

      7d2c375e7c1e52dfb0254cab9fb3816c5a1ba987b44910dcbbc5f0b3b8294070

      SHA512

      68d53577071249f8e4a5a70713c9b82a295bde488e00cb5c5287ed7c78a5195829eb65c83ddee6f64f6da085d3c0b0723249464044f20088b76aa631dff72599

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aA613.bat
      Filesize

      722B

      MD5

      2e8ce7b41fcc5276ce200e840a8f7663

      SHA1

      00cbc7d009bf511e12f61edfef3dcf6c911c06ca

      SHA256

      48bcd7953b058588001d4d86fa137665a8b2e99756d0c255bdce6cf68ba5dd27

      SHA512

      31b832f69e96a20630f13221dada90aac991c4b1acb8db8e6b44a8aae4a7598c38996cd331f8abe1addad2447f5a39ee4e1069f8154fc5dca21cdd1f84c9fa4f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3e28bb53783a6906d7e925c30ac660b90c71d1b9a9e4b30be2f96cd7ad0b75e1.exe.exe
      Filesize

      930KB

      MD5

      30ac0b832d75598fb3ec37b6f2a8c86a

      SHA1

      6f47dbfd6ff36df7ba581a4cef024da527dc3046

      SHA256

      1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

      SHA512

      505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      abdd02f0a8e8a7f67c4d2d5f390afa09

      SHA1

      794385506aa739fc62b83035f0f08ed16fa43e47

      SHA256

      951e009adb8c5a2d34f5a9057b5a05ecc268b608c5c2fcfe2dee1ae4e1fbb5c1

      SHA512

      85087a798d497e24df7cbdc4090722528659c40285f1f02fd65ddecd9d0fa233625d0e56a3cebcc778ea74fa7919b969451831101cb247b926eb1f17204c3137

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\_desktop.ini
      Filesize

      8B

      MD5

      646a1be8fae9210cfba53ee1aab14c96

      SHA1

      8677ff347131a9c8304f10b48012ebd8b075030c

      SHA256

      660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

      SHA512

      812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

      Download Submit

    • memory/1364-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1364-9-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4436-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4436-2794-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4436-11-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4436-8696-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download