Overview

overview

7

Static

static

3

733b979206...09.exe

windows7-x64

7

733b979206...09.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09.exe

  • Size

    33KB

  • MD5

    ac4d54500ddcf012f66bc5ba7530beb1

  • SHA1

    375bfcd1b95696f4b1c5f93dd5621e5c16fcda98

  • SHA256

    733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09

  • SHA512

    076bddcb1a579a43ec3714f9396a2b3836bcb86d469c9df56b9bbc94aaf1330069c97c75081e5414faf2160b8904f357fa823c40273e64c8278059c760fa974a

  • SSDEEP

    768:KBRO5RroZJ76739sBWs69a7zKHOrEz+mKLtOWD:Kfe+Zk78UKUW

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3568
      • C:\Users\Admin\AppData\Local\Temp\733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09.exe
        "C:\Users\Admin\AppData\Local\Temp\733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3888
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4308
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      6bb9d7b6949c25cc2312bcd71b8e4f91

      SHA1

      96d199177506b8cc560fbc5bddca9473e9444bbb

      SHA256

      c9b0a0f3da1d9d659f8f1e9fd23403be58b04a4e96c1ee5bab96b7fd84aee5d6

      SHA512

      9eab4cff5138c8d1409e97cb80dd88a190c6984591a15a3c6bef094ecab16856deeee19daba78b34b3b1a27ebf70a487196f3c6d92e4e9645c036b8f4d42e92d

      Download Submit

    • C:\Program Files\dotnet\dotnet.exe
      Filesize

      176KB

      MD5

      73d3829bda7873aad89b3e12ffc97f9a

      SHA1

      064bf3c8014ab716ec387ff53e377a4947442604

      SHA256

      c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111

      SHA512

      155b6fefbd4c8caa59f551f266954941e21b9badf4f493d122ff96a7d937cfcb2cfeb8194890c95487f85ceeffd4bf31c1b313e409afee027ff5bca4b083ee13

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      29bab5fa7dbfd951e1c8290a8f4c2ba7

      SHA1

      7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

      SHA256

      dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

      SHA512

      5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini
      Filesize

      8B

      MD5

      5d65d1288c9ecedfd5f28d17a01a30bc

      SHA1

      e5bb89b8ad5c73516abf7e3baeaf1855154381dc

      SHA256

      3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

      SHA512

      6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

      Download Submit

    • memory/4228-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4228-3-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4228-2705-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4228-8829-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download