Overview

overview

7

Static

static

3

8b5e68042e...0N.exe

windows7-x64

7

8b5e68042e...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 09:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8b5e68042edbd8cbbcfcedeade8d6c10N.exe

  • Size

    90KB

  • MD5

    8b5e68042edbd8cbbcfcedeade8d6c10

  • SHA1

    fb3edea22c09a375566d669659a331a8fb5b150d

  • SHA256

    02f031a51085f2466a8bd8466ec11a8dceb57fd8d38626070d1dff6066c9a7aa

  • SHA512

    5cc6c2d1be6b95428fe80a9dab4a862a0f0e84f13ddea3f6f5dd3e3589b051bd12f82d8e889eac972a3d0eb01854c894e4d817c562b80c8701a6f1d6fffb2f4f

  • SSDEEP

    768:KPL1RO5RroZJ76739sBWs69a7zKHOrEz+mKLtOWD/QwmKxyA5dmtdLAuDeGJiqr8:Kfe+Zk78UKUWLQwFxV7qjh3rmKPNIwW

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\8b5e68042edbd8cbbcfcedeade8d6c10N.exe
        "C:\Users\Admin\AppData\Local\Temp\8b5e68042edbd8cbbcfcedeade8d6c10N.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2176
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD8E1.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Users\Admin\AppData\Local\Temp\8b5e68042edbd8cbbcfcedeade8d6c10N.exe
            "C:\Users\Admin\AppData\Local\Temp\8b5e68042edbd8cbbcfcedeade8d6c10N.exe"
            4⤵
            • Executes dropped EXE
            PID:2688
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2656
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2884
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2696

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            c57ef276644263a6a4c6cf871b8e003d

            SHA1

            a2f5ef600da07f5b5588c2ed8ba337741d313095

            SHA256

            a8da87145e0f0463eeabe281c67b347d6ef6bebe3e5e00197a5b6ee59e1eed52

            SHA512

            980da7eb3f8aca92aec8d780dbf07dd2629bf4aa84e4a14a0a4fb387dd512136ed2258b2a1ab3ee6eea3406c5bf1fa0287dc8c0a255445fa2dbb06e7a5da4119

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            477KB

            MD5

            c32f3ae2a93a21a604cd493d86b40278

            SHA1

            4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

            SHA256

            b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

            SHA512

            5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aD8E1.bat
            Filesize

            536B

            MD5

            0a35f46553b7ed555aea6af784794ad9

            SHA1

            050b0a6f23b221936dbf5f711e960eb41eb4dd23

            SHA256

            7cd0752e85dc1b39d859610819d1f6de3e80662c67480a1f499e99e6c002432c

            SHA512

            fe77dab7bfa98cf1cf2a8b7b6a625398d01d4b4af426f86a3bfe81bba0294311411aa83dc1341b6a1d5e9d7f09336c5bd1b8b6f29ec55b7d560bea153d3a1d55

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8b5e68042edbd8cbbcfcedeade8d6c10N.exe.exe
            Filesize

            57KB

            MD5

            fa71e60855b37c3c26d9ebbb52a0c3de

            SHA1

            e608fea1cd4d5a34d7a86ca4e64d1db67f539f29

            SHA256

            5122bb9ce0e46f847cf1920c4e2fcead16b3101f6f03d3225e92a5f80a2f1c1c

            SHA512

            1b8cc9b37c24c9a5661e26cfb162fd1cb6419a4beb472bf100f4fbb61dfe9c353e8d3502af3d9a55d44a5f07dc0bf49412d5ca0d0d20fe466e3156ad1a88886b

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            67447cc82c32ec0b329d4b6617249dbf

            SHA1

            0deb2e64815a22711d6de43a4be84e5898d44645

            SHA256

            ed16b5f174494d3e4139f6441a81ce67754a08e8cc2ae5688241d5bff95893fb

            SHA512

            175254a41a9fb8c4c113a046880c83ca2370c2f541b27d7a3fb8765a491bf612b37b615ba5c922e8b72f0c3a828edda6dd5afe03030f2b97da35fbd6671c1b76

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini
            Filesize

            8B

            MD5

            5d65d1288c9ecedfd5f28d17a01a30bc

            SHA1

            e5bb89b8ad5c73516abf7e3baeaf1855154381dc

            SHA256

            3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

            SHA512

            6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

            Download Submit

          • memory/1184-28-0x0000000002D90000-0x0000000002D91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1976-15-0x0000000000230000-0x000000000026F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1976-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1976-17-0x0000000000230000-0x000000000026F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1976-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2480-32-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2480-3001-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2480-4151-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download