Overview

overview

7

Static

static

3

e631dc2840...bc.exe

windows7-x64

7

e631dc2840...bc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 06:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe

  • Size

    176KB

  • MD5

    7c6dfa10c7d8d55255b969b7f6582da0

  • SHA1

    116fcea646b242fa467095a20ba6950bed9c57cf

  • SHA256

    e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc

  • SHA512

    4318b51d6b63b4ba70c4194d0e2ff30d78baf522a9076a2b60a78e91206b7bfe5205aeb1995079b1c23c9978d67f057dc3d4154b60ec38e38b94b4a7143475b0

  • SSDEEP

    3072:K4we+a1DfByOpGjAvb3eLG2FmDDSrDVTFooWZet3:Jl+appyOpGcj3UFmDDSrDVTSBQ3

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
        "C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2260
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4569.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
            "C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe"
            4⤵
            • Executes dropped EXE
            PID:2288
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2772
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      2d5dc0e2365add6101339ca3601e4844

      SHA1

      27e0ae2b53f348cde2138b61ec8893ccb5e18842

      SHA256

      06d01bbe9ea2aa34904f77fc3582ce1c0624a44d09f3d71a2ef2a718065aa4c2

      SHA512

      5e54034137c3dc52282c69dcf1255c82d2ea8fab9fdca59b86f6fcd9d04cff08ee74c51cf844594fb27e7cbcb28450c0992bd9ee533b313b5bcaef63c9fbdc84

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      477KB

      MD5

      c32f3ae2a93a21a604cd493d86b40278

      SHA1

      4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

      SHA256

      b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

      SHA512

      5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a4569.bat
      Filesize

      722B

      MD5

      74fdbbfa2832db5a76817fb56398708d

      SHA1

      71561217e4629d1d4abeff76a601d90826cb2f44

      SHA256

      f12723b5fd4862bc99fd21510c8ddd32d0efc8657f8d36b068559b26ea04b46e

      SHA512

      4f958358c46f20bedf3a0f5ac64fbf719eea62865402f15b92e9d21b43697c1dada23ecaf8720b7d8f835f0c10c2e2b4210209a5aa5e71084ece0518a3bba8b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe.exe
      Filesize

      143KB

      MD5

      33b4c87f18b4c49114d7a8980241657a

      SHA1

      254c67b915e45ad8584434a4af5e06ca730baa3b

      SHA256

      587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662

      SHA512

      42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      0fa99b8acf13f45b95bacb99fad6efef

      SHA1

      d6271ca22be5d6bbfba2ef4229dca71182d43892

      SHA256

      c41ba3c322874847191377fd1671808aff7f2aac06b0ad1a8d1e81679e498b01

      SHA512

      efdbb5b56a621d6bffe454cf860483a21a64d59ece212cbc42f45f6a2259f5afd99621b88253b8808af5429b7e67d69136dc5fa63b304389e3e2ac090495cc31

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini
      Filesize

      9B

      MD5

      82fa69b12ac2df558c85e86426eb13eb

      SHA1

      ad90b8756e3bebe04450f6950419c761844d7b7e

      SHA256

      f7622a3740b818722e46a36b5aeb1c0ba6bec25bec811e3dcfe0b5ba1d728775

      SHA512

      3c4da39d3b0d68ade3ff8ded69bf1e78a1ef88f7ed70c85572ae06e6be78155ffc2f557f577208e579191be2d8be2a1fa833b9ca74a35bb69cf9c32c23f4d99f

      Download Submit

    • memory/1404-28-0x00000000029E0000-0x00000000029E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2528-17-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2528-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2528-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2528-15-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2760-32-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2760-3002-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2760-4195-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download