Overview

overview

8

Static

static

3

350e05b915...0N.exe

windows7-x64

8

350e05b915...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    350e05b915c077934c88acb64e94b610N.exe

  • Size

    563KB

  • MD5

    350e05b915c077934c88acb64e94b610

  • SHA1

    1a2e33ee89ef631f5eed1dba1710ef0c1a0af769

  • SHA256

    0a74b3992e4d72c20ec26b096f1e2b4c85838006b7d3d95f02e1a12c3f81dea0

  • SHA512

    33055d4f7ccb15bed2830255164773c09c835a21e05a8bacf4593a1d23d1b90a8f8c4eeda6b14c0e88df5dd93d8fbc490ade1399c74875b67ca247e4f73e20e4

  • SSDEEP

    12288:H3NKc9iJafmm2VYK+UNo0RweQfoAxHv9sN4A4H9J618UtQ43iUa:H3NCVm2VZQwy9E1Vf3M

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\350e05b915c077934c88acb64e94b610N.exe
        "C:\Users\Admin\AppData\Local\Temp\350e05b915c077934c88acb64e94b610N.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1276
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2764
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEC14.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Users\Admin\AppData\Local\Temp\350e05b915c077934c88acb64e94b610N.exe
            "C:\Users\Admin\AppData\Local\Temp\350e05b915c077934c88acb64e94b610N.exe"
            4⤵
            • Executes dropped EXE
            PID:2564
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2540
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:496
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      5ff29fc8bcaeafb441142434a5507134

      SHA1

      71de36de89171ae2dfd86f4a5b7e1cd36875cb03

      SHA256

      c86b67589d53c65a4ba7eca281293fcdf59caa70deafacb9e9a6b7be1d045a89

      SHA512

      3cc0ee042ac2eae2e73e0b657a309216c675f49e9d249136132c95aebea02b7d5491cc694f45699f9191c663e1735f56802e9c66d9728923c99299a3bac12da0

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      0165e17c5e9a80f5533940114281c930

      SHA1

      5e5bd89c8cb9e5ec512e5759c5b1e080ce27c9a6

      SHA256

      f8ea49a11b2001dda551b78c743cfc62461d8270aab8ed822a5dfb68c3a269a5

      SHA512

      56f43711fd84c5052e1d15fe47fd7755b0aa944197e08c6a84762c2db6dc2ea1fbe2b14451772f213f82a34e18d4a79b7c3efd5be211b86ecd7c9603fd4c772b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aEC14.bat
      Filesize

      536B

      MD5

      b33ae10328d0b917334113117e6519fb

      SHA1

      12f0f359618c0e47596c3908a719dc856092bff9

      SHA256

      8eafa5ed353edf4991d7ad41f473657bff7bb99ba4d720a1e8c1e02d7a6fcab7

      SHA512

      286f198200e41678d931445f66cba67eb10547d7711db03f3f381ecb60fd676977ed3139245db86c3b62ded76cc0da74a72ba727872157fe72e07e46a04cf401

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\350e05b915c077934c88acb64e94b610N.exe.exe
      Filesize

      529KB

      MD5

      cca0c5482b8a6a275d9d49433f435dfa

      SHA1

      a72ae8621386e13c34055f612ae7612b8a18a39e

      SHA256

      6ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365

      SHA512

      b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      e6880038348411f45cdee5b33ef8ec80

      SHA1

      cd5349439457d0e6fe75c4896841159b4300b7ad

      SHA256

      0f8cf2f66d0bb8c5ecfa5ed667b9b6b10a802800ae22be23a8e15c2e5f3fd4c8

      SHA512

      aacdb24fd8fd358e48e381fb805bd2bf14143f4e6bf6d7a27b42e82aba9543597d06035c357f119106563cc88c1177401909c110540ce23fa65e6f66a9a301df

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini
      Filesize

      9B

      MD5

      f74f4ac317419affe59fa4d389dd7e7c

      SHA1

      010f494382d5a64298702fe3732c9b96f438c653

      SHA256

      74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

      SHA512

      f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

      Download Submit

    • memory/1204-32-0x0000000002D50000-0x0000000002D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2680-36-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2680-21-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2680-2965-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2680-4154-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3052-19-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3052-18-0x0000000000290000-0x00000000002CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3052-17-0x0000000000290000-0x00000000002CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3052-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download