Overview

overview

7

Static

static

3

55531bf7f5...fb.exe

windows7-x64

7

55531bf7f5...fb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55531bf7f59392f9b32b1c6647b17bd36a75f9536cb5cd8067cbee6d2f6564fb.exe

  • Size

    48KB

  • MD5

    0afccdcba7062a0eac1442ab279b6684

  • SHA1

    8df03692954e89f0614affae9fe6a636be62f6b8

  • SHA256

    55531bf7f59392f9b32b1c6647b17bd36a75f9536cb5cd8067cbee6d2f6564fb

  • SHA512

    9d3a8fd3dcca0343e41a6b7a75063f574e10ece47866cf8d286054c968ee1ca22856227fd5757ecf3a81a0933bdb01364b13327858252dda96cfe9aa1e2e087d

  • SSDEEP

    768:2s6Hp+Vxr1x5cE9Fl5pz8w1rU9hFInlI1LqYJUukGdKETL4Ibq:2Rpsrz8GvnG1hXRTlq

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3568
      • C:\Users\Admin\AppData\Local\Temp\55531bf7f59392f9b32b1c6647b17bd36a75f9536cb5cd8067cbee6d2f6564fb.exe
        "C:\Users\Admin\AppData\Local\Temp\55531bf7f59392f9b32b1c6647b17bd36a75f9536cb5cd8067cbee6d2f6564fb.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB75.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3632
          • C:\Users\Admin\AppData\Local\Temp\55531bf7f59392f9b32b1c6647b17bd36a75f9536cb5cd8067cbee6d2f6564fb.exe
            "C:\Users\Admin\AppData\Local\Temp\55531bf7f59392f9b32b1c6647b17bd36a75f9536cb5cd8067cbee6d2f6564fb.exe"
            4⤵
            • Executes dropped EXE
            PID:1688
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1124
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1256
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      b2d42d2acc3ae6aeae98d929b3fceffd

      SHA1

      9a56b274f4e073f8e9f5869fad424ed8953d841c

      SHA256

      6813174f48fd25892a5fa28d0dd808df9ff007f751539d5f6f99e30cda0d96b5

      SHA512

      57feee21c0493c7fda61517d7bb734596e0de791bbdf09fe85ccc43e532f1fe65a4a4514ce9de20a1394e9f238444e14568ffbcc8fcc434f88b5a7d956c39ea8

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      9044b8cb7dee805474f46fdff328cebb

      SHA1

      1cabc4c6c2c86cbb78765bc9dbc34fb343a473d2

      SHA256

      62fedddac5d2bc0012582f6d5c8a62f1cfeb146338ded33892f3e2e9a3080618

      SHA512

      4c3baf797abb9745bd194cb39da4f7541273d5ceb694929e562b3823118a8851a9b5dde4379d3936ca8fc233339560f7716518a62b421a2fcfe228d1037d9753

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aB75.bat
      Filesize

      721B

      MD5

      bddfac4e58b97558412f95b1de13bd5a

      SHA1

      5a341f55815657428a8d395ea0eb80a0bb8acd03

      SHA256

      3c2a21a91d58a914f1a0a51a780636f5fff193e285d29c1085245dbb546fd8d0

      SHA512

      7c207de9c60b20d8508e7e52501c615e36774339e0621d0fc8c578dab6be79666506d464b95c65b69c13bc8856ba609487eff9e89e9086a0e8b28ae3577cf1c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\55531bf7f59392f9b32b1c6647b17bd36a75f9536cb5cd8067cbee6d2f6564fb.exe.exe
      Filesize

      14KB

      MD5

      dc6311fbfd49f41fbf35860a30e68355

      SHA1

      b08b15be412e843acaf7ad5e6df0ef1e8bdb465c

      SHA256

      ffdf81680522029c2eb578a9f442fd9692900a5c782c711e35203fb2d25620ba

      SHA512

      5e2938f5a8396154928a7d093db3843d73497cea4f49c0f1b77e3aac6e29d1db7f0ad4518587c336f0dfccb67ff33aac8e12afa70503504c5d8d46d12a86e453

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      356cac02b916fa68cdb143461cd998e9

      SHA1

      888516965d3843e0a10864d6cc0480cc912cf0a8

      SHA256

      c0e06a40330d72717d8c82fa7844df30dd8c6d99447e2e2372dc22a95120a92f

      SHA512

      6daeea1394153fb814655ef67b6220182f8eb0fb995f189f455771412e484c6522a6965c13b6ff748060778b25397ecb8a627b2fea4dffcf526ade0aaec53965

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2629364133-3182087385-364449604-1000\_desktop.ini
      Filesize

      9B

      MD5

      e2a14c19421b289cbd51a76363b166bd

      SHA1

      5d0621d68da5a444f49c090b0725c7044d47fdb7

      SHA256

      844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

      SHA512

      8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

      Download Submit

    • memory/3988-8-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3988-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3988-3074-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3988-8811-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4368-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4368-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download