Overview

overview

7

Static

static

3

58faaee4e1...a4.exe

windows7-x64

7

58faaee4e1...a4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe

  • Size

    321KB

  • MD5

    c9c9cad523a202bcdb77e3660fc39b41

  • SHA1

    31e407b3a16965a5e3a541044db7607fb902a3b4

  • SHA256

    58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4

  • SHA512

    7eb53cfed4b262d414111d08953415c56b24674adba17f149905713a09753d5ef6b1c884fbed0e0d0695d486d9ef47182c18168708c193a819367061ad6b5e2c

  • SSDEEP

    1536:xHe+Zk77RNYjLBcae2/sJ9aJfXgY1zUTyr5hVM:xHe+aX38yae+XgTTSje

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe
        "C:\Users\Admin\AppData\Local\Temp\58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3316
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1252
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC93B.bat
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2736
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4564
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2472
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:796
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      e02a26d5c40ba99e0dd41bf5283f0a89

      SHA1

      974aed12b49db8fd18494a80d2de9a73dd98e594

      SHA256

      2f8f7e0cb11eac3e0ed40c10d931d225e43e8a7b47d2043c1126709b809f1f05

      SHA512

      68566c219e68a07608a7ce9d2cd1124ecc82fe5272087637c61393e51c9afb60d939f84c0c2b03bab6ac239fcdbcfb93fa1b0ff80c2e6531cfbf55452b3bb49f

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      3a84e2e2d803729ca1b5d7dae236609b

      SHA1

      b9024563b4c92548ae0375e8bdffb303a72403c8

      SHA256

      24d15e4819b257074e2d5afa799b1bbc12489d0bce68328ce16870068466b65c

      SHA512

      b062be5d60825a0f6c92f4862b06e46e7c232fe2f8fdf80324cc9183d21da63922968626bd12d553f78214af8f717be9824655944637c7156a90e7e4e13a8581

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      c0057db68dfd75cccab3b14a084dd427

      SHA1

      75f6f857332903754df4c73bb1a22201a0f5fa94

      SHA256

      a248fabffb80434c968c6878a53560b86c15015b2a567ecc26d7405786b665ab

      SHA512

      369739ca80ba57d97a3c3a15fc1b5b30d1b111a8450510c8dd32e7768a68426e10bcece74754b3826a437cd05b6eb70ad882a092aafb85f72b9072779d485854

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aC93B.bat
      Filesize

      722B

      MD5

      474fc932f9a58971b8434a36886b2fc3

      SHA1

      75f3f72e87a641f152c779a7d1076df540efdaf4

      SHA256

      7af1c0cff390953ec9be67aa55cce510e99145733198bbe0b991e43ee86e86f7

      SHA512

      911ca45fc86108319aea9e98ccfd07d10be78a616a1a883943779c0f976e443cb885c8bd9b99a8ba313f3335d54bef32c00a19cdc255b0ed835e89e3597a7842

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\58faaee4e16ba3ff9936d8758dab2e512230353face6febdcf129ab963e039a4.exe.exe
      Filesize

      288KB

      MD5

      01bbe782a1da233c59881ed2d18f4f06

      SHA1

      723d4dfdab2b477633455d4775e32bd52f081c7b

      SHA256

      7ded5e3c9c066789a50305a048639afeab4dffcc9673ae7f1092e5af7c6a91b1

      SHA512

      492b202ab850c4f120c4ac7854bf7e7acc865505679d8973736ed3ea28f4b77b645c8a15d806805064ebc81ebd1b4bf07e1fd4023307673d3ce4b81d49c7d175

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      fac489180a927456fde29aa70b6c863c

      SHA1

      b7638615678d7137f7c9a8ab01952fd6266730d0

      SHA256

      e888702980111bdea63056293f56946432701aac652c474a5f8614a137e021d7

      SHA512

      cbe953def68f48b32003143d8980b0443c46373395d31ceab62192cb0d2a97d45428e950f54f03b507b9e39b12770c9701e2b5de6e1fda1ce763a9aede7e6682

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/1208-16-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-3392-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1208-8644-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3316-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3316-9-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download