Overview

overview

7

Static

static

3

bb95b991ae...ca.exe

windows7-x64

7

bb95b991ae...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 13:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bb95b991ae71c26c3f9936e0958ea9dd58dcdc1885169f458849f2073aa71eca.exe

  • Size

    321KB

  • MD5

    0f3db1295f56858c412e425c78aea7c8

  • SHA1

    09295d464ddd5a4f6816d0e751087a53c39821fd

  • SHA256

    bb95b991ae71c26c3f9936e0958ea9dd58dcdc1885169f458849f2073aa71eca

  • SHA512

    45eff2ad7328cc1872944b73342ea75287ed1da4a18df0c34409733df1da0a6934089c981ec4afc3681e82d537e0ef27dc2d4f47bf91343b5e665f12e344deaf

  • SSDEEP

    768:KCJYRO5RroZJ76739sBWs69a7zKHOrEz+mKLtOWDw9a26YeXgZSBw/hAmPu1zU6c:KCwe+Zk78UKUW09aJfXgY1zUTyr5hVM

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\bb95b991ae71c26c3f9936e0958ea9dd58dcdc1885169f458849f2073aa71eca.exe
        "C:\Users\Admin\AppData\Local\Temp\bb95b991ae71c26c3f9936e0958ea9dd58dcdc1885169f458849f2073aa71eca.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1860
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3044
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB693.bat
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2552
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2832
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2268

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            477KB

            MD5

            c32f3ae2a93a21a604cd493d86b40278

            SHA1

            4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

            SHA256

            b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

            SHA512

            5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aB693.bat
            Filesize

            722B

            MD5

            92b5ea2a627616250cd3a2076aae288a

            SHA1

            5fbff17d37be98839abfba3f40d2a2a974ef8bb0

            SHA256

            a5f756b8926afe41d1b69d22efed520ae897bddf5d6c700fdd33290a3f9a051a

            SHA512

            c2116cddf3d803895c9917eb56b6e5446ff51a358bf32f4faa00986963e908202986f48cd7f9db3fbec9bac50cbe2d549189cc2996d7a8807fdb58a40422d27e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\bb95b991ae71c26c3f9936e0958ea9dd58dcdc1885169f458849f2073aa71eca.exe.exe
            Filesize

            288KB

            MD5

            01bbe782a1da233c59881ed2d18f4f06

            SHA1

            723d4dfdab2b477633455d4775e32bd52f081c7b

            SHA256

            7ded5e3c9c066789a50305a048639afeab4dffcc9673ae7f1092e5af7c6a91b1

            SHA512

            492b202ab850c4f120c4ac7854bf7e7acc865505679d8973736ed3ea28f4b77b645c8a15d806805064ebc81ebd1b4bf07e1fd4023307673d3ce4b81d49c7d175

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            1c1a54d9be781116b0eeb13e29df2877

            SHA1

            27bf3d81ae73403cff58875a67d86e9cd4b83aea

            SHA256

            b05922fc1a2cf17f5d94a22c68dfff012367469cfc4c601eeba26e9622de0308

            SHA512

            7490c11f6e66164fe42a8bcc2488fb6d92d492b6eb7b1548d221fe61c9495cad8b740a613041c6bac91c4bc88d4c40155057c03315b5d4c7fe3241b37364703e

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini
            Filesize

            8B

            MD5

            5d65d1288c9ecedfd5f28d17a01a30bc

            SHA1

            e5bb89b8ad5c73516abf7e3baeaf1855154381dc

            SHA256

            3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

            SHA512

            6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

            Download Submit

          • memory/1212-27-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2228-4189-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2228-20-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2228-2761-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2228-31-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2420-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2420-12-0x00000000001C0000-0x00000000001FF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2420-17-0x00000000001C0000-0x00000000001FF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2420-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download