Overview

overview

8

Static

static

3

866d4082cb...0N.exe

windows7-x64

8

866d4082cb...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2024, 00:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    866d4082cb55a980eb9853baca970bf0N.exe

  • Size

    66KB

  • MD5

    866d4082cb55a980eb9853baca970bf0

  • SHA1

    d48af090631c9717714bc952194ecb7d6fec9d9b

  • SHA256

    1f6edb6ba58ee9b822dcea40f56b4e9a07989fcb80641c112ef22d40b18b7907

  • SHA512

    f041a40bb4623a4ced1194acecee041162c9bc16d01e7a6b916641c8a21523d5a667d40ff40c6eac91d33a0903fb257a7123a9228334f656212cf5bca5798d7e

  • SSDEEP

    1536:JMraYzMXqtGN/CstC9qVFAb4yzwC132n6wkj7:JMraY46tGNFC0VFAb4yzjwkH

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1240
      • C:\Users\Admin\AppData\Local\Temp\866d4082cb55a980eb9853baca970bf0N.exe
        "C:\Users\Admin\AppData\Local\Temp\866d4082cb55a980eb9853baca970bf0N.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1524
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1932
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA8DD.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Users\Admin\AppData\Local\Temp\866d4082cb55a980eb9853baca970bf0N.exe
            "C:\Users\Admin\AppData\Local\Temp\866d4082cb55a980eb9853baca970bf0N.exe"
            4⤵
            • Executes dropped EXE
            PID:2728
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1636
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2924

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            4cb61cdbe83e32f686ec1d5d9c8c81e8

            SHA1

            6c9a639ff8614f535dfbe594a0553c5e20f2ab36

            SHA256

            f08253c31ff0c37a31859b433f48e079de3e2aedd383897c1059438de5e9dfdf

            SHA512

            22cd0ff6e09b547c3f9026b07d943c52e75937679c4bbec080c0fc285a802f61317332a1d0186c68bfdb259965cabda9f7952bb00013e94011b0606d34ccf39c

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            e3d7f6cbc53a96972587f05acd5c0ca0

            SHA1

            e12f124807a30188da6157d4423775373c668dd8

            SHA256

            75db003d5fe6855e432e4ccaf8720890f181c3dc9d800b253508aebabfde2da8

            SHA512

            ea783b525ebf1fa786d06051e64c72efa9665aaaa0e456c99c3fb80298066491da47d9056f7046d35d4bb3165ac2ca85eac9c9a9331923dbf56937831a9bc078

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aA8DD.bat
            Filesize

            536B

            MD5

            187ca85feb14fef9063fafe8c143f942

            SHA1

            e8f49af43cdce05375e7234737db5b3603efe471

            SHA256

            25fdc524feea7eddbb039e02f558a97d1461f106b398b2d00e64eb7409b8393a

            SHA512

            6fa41183247750a24cfb867a6e27113012c890470a977eea51122a25617996d063ae70789d4845380388cb1d07d7db3f54b00024075b2813cdae0d149a4839a8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\866d4082cb55a980eb9853baca970bf0N.exe.exe
            Filesize

            33KB

            MD5

            e27df2dd35f9e988ae5eb765cdf26dcf

            SHA1

            c21252dbf9e06e2d4492c3bbd6c29c41b5eb8440

            SHA256

            cdd28c680dd5ccaa7cc5accc72825a3705747717735e0a6a3f446bfdcb27b044

            SHA512

            8ea4e39586c42f983e07ab887e04147ab43757aa605997ad8487c64adbef51740ecc62b7030bbebf3bd962c65c1e66ee24d6d7e780b3e7ce0344f2bf2194ed50

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            a5817ced46296620f62b49e66c0e0b7e

            SHA1

            56446bbb1855257d094cb44e4e216b64bcd25fe0

            SHA256

            39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525

            SHA512

            8b7ebb7fbb377450ddddcf447afe8cd0d67f422f101c8f6f8f81746e027084ce1c8a7e01da7311ba4ceb6d4e1dacf9220dd471970833cd32bfa241691d03b5b2

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini
            Filesize

            9B

            MD5

            6958c617a77595dbc06ba761133b066e

            SHA1

            aa86897fa79edfb2905f43528d63d0baaa0b40f2

            SHA256

            d1070387888af7568a73c3ce347758ce54586ae7ad77f1e34358bef9598a4758

            SHA512

            da2fbe30ee3b252faac068ce82c34b1cc0516e164d457726742c09e4f8c01c36c6fb20e48b8db83bc86672255152784142aebc0efeaec33a28c721c8ecdd27d2

            Download Submit

          • memory/1240-30-0x0000000002500000-0x0000000002501000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2532-34-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2532-2964-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2532-4153-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-19-0x0000000000270000-0x00000000002AE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2672-13-0x0000000000270000-0x00000000002AE000-memory.dmp

            Filesize

            248KB

            Download