Overview

overview

8

Static

static

3

951e009adb...c1.exe

windows7-x64

8

951e009adb...c1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    951e009adb8c5a2d34f5a9057b5a05ecc268b608c5c2fcfe2dee1ae4e1fbb5c1.exe

  • Size

    33KB

  • MD5

    abdd02f0a8e8a7f67c4d2d5f390afa09

  • SHA1

    794385506aa739fc62b83035f0f08ed16fa43e47

  • SHA256

    951e009adb8c5a2d34f5a9057b5a05ecc268b608c5c2fcfe2dee1ae4e1fbb5c1

  • SHA512

    85087a798d497e24df7cbdc4090722528659c40285f1f02fd65ddecd9d0fa233625d0e56a3cebcc778ea74fa7919b969451831101cb247b926eb1f17204c3137

  • SSDEEP

    768:JnElOIEvzMXqtwp/lDTJg/MFksCRsd2u9C9MFWoVaZel:JnaYzMXqtGN/CstC9qVF

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\951e009adb8c5a2d34f5a9057b5a05ecc268b608c5c2fcfe2dee1ae4e1fbb5c1.exe
        "C:\Users\Admin\AppData\Local\Temp\951e009adb8c5a2d34f5a9057b5a05ecc268b608c5c2fcfe2dee1ae4e1fbb5c1.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2680
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      6fb2412477cabac72e28e557a90272bf

      SHA1

      97d195bec7379812acbddccf5e107006de2f293d

      SHA256

      dbc55816678d01752e6fdc3630c4de634948995572727cde9c295d5674638a39

      SHA512

      70581c45191ccaae3e529b58bbc1bdfc3e2f9e0096e9a6a4890e010c508d690930e7a2240ee4ee4e371a576625c00cddb903724273826d9a38b5a3231972b92e

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      717KB

      MD5

      3c5e6c1f6dc53d4860267c3bec385736

      SHA1

      2931c960467f0b7a69543a799235aa6d757f8e21

      SHA256

      ddd7f2d19b23895aa1e097d1e9628c47190f4a655d841a18e58605b6d4539c6c

      SHA512

      20eb985e782393513a66e6990f609399edbde22e1f652fc425692bbf996f99c569d8fc386a9dd87f90582734fd819aad1bb6224aef572f1c2e987260f27feb71

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      e3d7f6cbc53a96972587f05acd5c0ca0

      SHA1

      e12f124807a30188da6157d4423775373c668dd8

      SHA256

      75db003d5fe6855e432e4ccaf8720890f181c3dc9d800b253508aebabfde2da8

      SHA512

      ea783b525ebf1fa786d06051e64c72efa9665aaaa0e456c99c3fb80298066491da47d9056f7046d35d4bb3165ac2ca85eac9c9a9331923dbf56937831a9bc078

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini
      Filesize

      8B

      MD5

      646a1be8fae9210cfba53ee1aab14c96

      SHA1

      8677ff347131a9c8304f10b48012ebd8b075030c

      SHA256

      660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

      SHA512

      812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

      Download Submit

    • memory/1196-5-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2788-9-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2788-2938-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2788-4126-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download