Overview

overview

7

Static

static

3

a72da3ad63...b0.exe

windows7-x64

7

a72da3ad63...b0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 23:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a72da3ad6300238b603a51b956742fafeb4a5f60fbfdde896942057313421eb0.exe

  • Size

    370KB

  • MD5

    0bc809fe7742d3d6fcf2a83c90294916

  • SHA1

    0427ffc83d06d0b29dc51489ae7f6d992fc5bda4

  • SHA256

    a72da3ad6300238b603a51b956742fafeb4a5f60fbfdde896942057313421eb0

  • SHA512

    7d2e1366e029f54479a657c6ddac56aa49a183a2f10c8143f78287247081fd220d6529e67919ad246a2a0b42a8aafb24efc959fd149b44f5d6986b7940c5bb6d

  • SSDEEP

    6144:UJt4DREcMZ5vVCiiKrao9afJu3YYtWGaVoRiS6hxH5AgPaxA:UJ+FuvVCiisao9Ii3aViKHye

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\a72da3ad6300238b603a51b956742fafeb4a5f60fbfdde896942057313421eb0.exe
        "C:\Users\Admin\AppData\Local\Temp\a72da3ad6300238b603a51b956742fafeb4a5f60fbfdde896942057313421eb0.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2288
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD24D.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Users\Admin\AppData\Local\Temp\a72da3ad6300238b603a51b956742fafeb4a5f60fbfdde896942057313421eb0.exe
            "C:\Users\Admin\AppData\Local\Temp\a72da3ad6300238b603a51b956742fafeb4a5f60fbfdde896942057313421eb0.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3044
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2296
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2696
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      fbe9b5a5a8033c561985a37543a2d5ca

      SHA1

      92b7387769c72321d0e9a3a6597f6dea76bda0fa

      SHA256

      49bc43b57e66727fa33af7fcbd8b30469dee4864f38b6e23ba60e410cacae29e

      SHA512

      5c170b8b7a79e20e93f437856f09327a8b689f5c0a31e788ff9ffb4079ed362daaa0ee5ce17c308ff1f6cc02c3c01b0ba5d4d1452449c484982b4d8c325f06fc

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      8ef1a94c2988444c9d5d6c36a63765d3

      SHA1

      d566ce1693e16fd605afcf2c5ea87af57af56197

      SHA256

      ab3dfdf37c3eaae2dbeb15b4e6be3659187e8e3613450664160702c787cf1623

      SHA512

      991fc8c061d831e96f6e061ec85f6d5c2aa7e7380a949bd04193ef6b0f8d495a462bf6b9bcafbd2893eefa0195bf4a191a923c36f4845e6f44a86be1e1ded45e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aD24D.bat
      Filesize

      722B

      MD5

      ac6c040a2877d826589d14e359734b18

      SHA1

      8e676c4d662f083a25970726317fe26221b57d20

      SHA256

      12c1a519655b766a3600b9c03690656383ad0f0b4d33f3035a44d35f64fed159

      SHA512

      59082d248cf5b466927207c608bb8b7d47c276d9554aafc1834027a2ad6975a19703e898a9bdb3ede67657aebf1bd7a3b9a80f250cdd480c9f246201e845d874

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a72da3ad6300238b603a51b956742fafeb4a5f60fbfdde896942057313421eb0.exe.exe
      Filesize

      337KB

      MD5

      383dcbf7e816408a7bcc0a2c41634356

      SHA1

      8179e5d4f88995a92110e4341be44335fa6636f6

      SHA256

      1a4bd956c34459258c85ca9c81dc547d2ef3e276c1f5d07f93902b4a8c74586e

      SHA512

      8b0b5015fc9100d58d73c1b331318f4568cf16529205b127c4ff473df95a8f0a52d5271cc4b66640630ed633449eccdf025166781b67834cc04d8ce23d79554a

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      360fcd6465d0bf904a09678d72377826

      SHA1

      d430143c26f65dcccda4712aaa79bac8cf1f1002

      SHA256

      c5c7d44610a7680afdeed1cbe968685a585670017d6eeb3a9f7df922f8ab987b

      SHA512

      3d442dc1ed3214adf1eb739b244dc5ea3bd90fe181f12a7b723e807cadb7b4512fdd82a05316116711a6be532e9bd114e71880df59138d314b350f7bf581865a

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini
      Filesize

      9B

      MD5

      e2a14c19421b289cbd51a76363b166bd

      SHA1

      5d0621d68da5a444f49c090b0725c7044d47fdb7

      SHA256

      844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

      SHA512

      8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

      Download Submit

    • memory/1264-30-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1348-17-0x0000000000230000-0x0000000000270000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1348-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1348-18-0x0000000000230000-0x0000000000270000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1348-19-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2924-33-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2924-1654-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2924-20-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2924-3884-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2924-9287-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download