Overview

overview

7

Static

static

3

84f849fd42...e0.exe

windows7-x64

7

84f849fd42...e0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84f849fd424cf421a3a23c37bab1f4af27d78ee6439c392f05f9bc8430477ee0.exe

  • Size

    186KB

  • MD5

    be4302b59375d53a7785b9a57e20aa96

  • SHA1

    4b1969e92a87c6895363610deb55ed25490d2ceb

  • SHA256

    84f849fd424cf421a3a23c37bab1f4af27d78ee6439c392f05f9bc8430477ee0

  • SHA512

    1060a5acb1e41369c361b4d4809f9304467511b9a11c3d457d72dd3bf661e08458f3128033817ceefd0b94ae2ab13cc7dbfa524728bbc17d0304d6dac20b9471

  • SSDEEP

    3072:2i8aNARYLJXJoYtpA/H3RpDecC+EZX70RjLTu46R0Eb:gSgYLjvqXRpDecw7Kj3u46db

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\84f849fd424cf421a3a23c37bab1f4af27d78ee6439c392f05f9bc8430477ee0.exe
        "C:\Users\Admin\AppData\Local\Temp\84f849fd424cf421a3a23c37bab1f4af27d78ee6439c392f05f9bc8430477ee0.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1288
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4B9.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4364
          • C:\Users\Admin\AppData\Local\Temp\84f849fd424cf421a3a23c37bab1f4af27d78ee6439c392f05f9bc8430477ee0.exe
            "C:\Users\Admin\AppData\Local\Temp\84f849fd424cf421a3a23c37bab1f4af27d78ee6439c392f05f9bc8430477ee0.exe"
            4⤵
            • Executes dropped EXE
            PID:4620
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4804
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:860
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3500
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3704
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      b2d42d2acc3ae6aeae98d929b3fceffd

      SHA1

      9a56b274f4e073f8e9f5869fad424ed8953d841c

      SHA256

      6813174f48fd25892a5fa28d0dd808df9ff007f751539d5f6f99e30cda0d96b5

      SHA512

      57feee21c0493c7fda61517d7bb734596e0de791bbdf09fe85ccc43e532f1fe65a4a4514ce9de20a1394e9f238444e14568ffbcc8fcc434f88b5a7d956c39ea8

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      9044b8cb7dee805474f46fdff328cebb

      SHA1

      1cabc4c6c2c86cbb78765bc9dbc34fb343a473d2

      SHA256

      62fedddac5d2bc0012582f6d5c8a62f1cfeb146338ded33892f3e2e9a3080618

      SHA512

      4c3baf797abb9745bd194cb39da4f7541273d5ceb694929e562b3823118a8851a9b5dde4379d3936ca8fc233339560f7716518a62b421a2fcfe228d1037d9753

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aB4B9.bat
      Filesize

      722B

      MD5

      1721e4be96e8c6ac821cd0bb1865c1ca

      SHA1

      8f97c3e8f2f747dbd7589acd9bdbb3686ce0a4ab

      SHA256

      93c6b9824073784ccb444fbe24d1f5e42a07692c2359219f1488976af765bb2d

      SHA512

      b53c5c777f4259a677068b39545835276e9fcee0ff763ec6dea14d74db0ebc98033e5a94dbfa1c4c5ef814674c19a418738e7d745967e4c37e12f29d5b18c86f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\84f849fd424cf421a3a23c37bab1f4af27d78ee6439c392f05f9bc8430477ee0.exe.exe
      Filesize

      152KB

      MD5

      3440c72d695db245adb2728b6a5d9b1d

      SHA1

      1e510973687c9a0b58464aaf43048a183d825e26

      SHA256

      37462e31a348d32c9421557f38a601a632c0bdf24d8157481ba82b45f8fef64f

      SHA512

      5be93dca3a1f9b8e286146d43f848ef6b8bc5ef99ca5cf50839a62dd5083d915dc94ca5a30658838e2365a45a5dd522e641ee71f811202148c9db860113018e6

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      356cac02b916fa68cdb143461cd998e9

      SHA1

      888516965d3843e0a10864d6cc0480cc912cf0a8

      SHA256

      c0e06a40330d72717d8c82fa7844df30dd8c6d99447e2e2372dc22a95120a92f

      SHA512

      6daeea1394153fb814655ef67b6220182f8eb0fb995f189f455771412e484c6522a6965c13b6ff748060778b25397ecb8a627b2fea4dffcf526ade0aaec53965

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2629364133-3182087385-364449604-1000\_desktop.ini
      Filesize

      9B

      MD5

      e2a14c19421b289cbd51a76363b166bd

      SHA1

      5d0621d68da5a444f49c090b0725c7044d47fdb7

      SHA256

      844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

      SHA512

      8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

      Download Submit

    • memory/1044-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1044-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4804-8-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4804-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4804-2826-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4804-8724-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download