Overview

overview

7

Static

static

3

f693a7e8a9...a7.exe

windows7-x64

7

f693a7e8a9...a7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f693a7e8a92bb7b24eb811b7dba24b2f8c02814a6f81f3ec4f278fc9089b33a7.exe

  • Size

    723KB

  • MD5

    ef1d319518a6e8d27e0d8ed1ee0cd0f8

  • SHA1

    e430328e360b542da7e9929090312bd99426a5fd

  • SHA256

    f693a7e8a92bb7b24eb811b7dba24b2f8c02814a6f81f3ec4f278fc9089b33a7

  • SHA512

    08ea7d62b9e1a34dc3a126272307cdc3bfd89d2110ebacc519ab7521c31481a6f5a45a423dc3f2e6c3dd4c6c4f91d868b8ac3e1a01dd5d994bd8093edc219a1f

  • SSDEEP

    12288:V+azbvPfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:VBzb/LOS2opPIXV

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\f693a7e8a92bb7b24eb811b7dba24b2f8c02814a6f81f3ec4f278fc9089b33a7.exe
      "C:\Users\Admin\AppData\Local\Temp\f693a7e8a92bb7b24eb811b7dba24b2f8c02814a6f81f3ec4f278fc9089b33a7.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA2F3.bat
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Users\Admin\AppData\Local\Temp\f693a7e8a92bb7b24eb811b7dba24b2f8c02814a6f81f3ec4f278fc9089b33a7.exe
          "C:\Users\Admin\AppData\Local\Temp\f693a7e8a92bb7b24eb811b7dba24b2f8c02814a6f81f3ec4f278fc9089b33a7.exe"
          4⤵
          • Executes dropped EXE
          PID:2864
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2800
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
    Filesize

    484KB

    MD5

    a803cec17e97a23f06f00bad17aa1236

    SHA1

    7a5c9795e740bbf318d745de0eb80adb7d74538d

    SHA256

    2846d29686b5eef885188d8c5dc0ff71e19a25d497490f99f99e837959a7b7ff

    SHA512

    ca0b62858ee4af691cd9dfa6c9325d4dbe1e2dd232c8f30e24156dc9560211666724e41e305467475760b80bdbed429887e2032191147c60504fb04e512ca620

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$$aA2F3.bat
    Filesize

    722B

    MD5

    3e645f6673323ca10ed5570461d14c72

    SHA1

    8edec5987a890843e2a5c31c1a70353dbf3b223f

    SHA256

    f326469367fb038f6bd4bed9f3bec00dfb5b57f932ef8f1287de73855245b2ac

    SHA512

    f9314751e016a252106c74f8fa5f61cc921771eb71e1ac0dc6654546d81d67e0ee54e454c16e700b831c4255ccf743fa90984a24e5eaa4994e03647e882ea9a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\f693a7e8a92bb7b24eb811b7dba24b2f8c02814a6f81f3ec4f278fc9089b33a7.exe.exe
    Filesize

    684KB

    MD5

    50f289df0c19484e970849aac4e6f977

    SHA1

    3dc77c8830836ab844975eb002149b66da2e10be

    SHA256

    b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

    SHA512

    877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

    Download Submit

  • C:\Windows\Logo1_.exe
    Filesize

    39KB

    MD5

    abb9a80df3006b0d301bdc994ed2c37f

    SHA1

    30946837d9bf8c65151ef22dd27416249087de89

    SHA256

    00b8befe4eb2c186c359ff3d0ac5257c740d950037741e847eac917789e2a6e2

    SHA512

    dc8aea8d76ed69814651d734492e4d1c0f1d9236d4098fa7dae2bf76070338e96e4e1e316bdc77be06109b203b2b1f340fb820660ab82e04b3d7375504d577f1

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini
    Filesize

    9B

    MD5

    82fa69b12ac2df558c85e86426eb13eb

    SHA1

    ad90b8756e3bebe04450f6950419c761844d7b7e

    SHA256

    f7622a3740b818722e46a36b5aeb1c0ba6bec25bec811e3dcfe0b5ba1d728775

    SHA512

    3c4da39d3b0d68ade3ff8ded69bf1e78a1ef88f7ed70c85572ae06e6be78155ffc2f557f577208e579191be2d8be2a1fa833b9ca74a35bb69cf9c32c23f4d99f

    Download Submit

  • memory/1216-32-0x0000000002E40000-0x0000000002E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1928-15-0x00000000003B0000-0x00000000003ED000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1928-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1928-16-0x00000000003B0000-0x00000000003ED000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1928-20-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2948-35-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2948-18-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2948-3004-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2948-4198-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download