Overview

overview

7

Static

static

3

78d5a57484...c9.exe

windows7-x64

7

78d5a57484...c9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78d5a57484343058abc69e295c0684d956cf30ea810a04fb94f17713d520abc9.exe

  • Size

    37KB

  • MD5

    39c3bcc55d1bac5f940acd36b7df6fdb

  • SHA1

    7f06069d53003415add83286cd55c662636e0fd0

  • SHA256

    78d5a57484343058abc69e295c0684d956cf30ea810a04fb94f17713d520abc9

  • SHA512

    60599e7196180be678088e35c051aed7ddfb1a16e4c794740c2e176d745c249227c26fb272fdd5643795a33235df995167c56456473fa42b3a1f71f2c5f2d114

  • SSDEEP

    768:KBRO5RroZJ76739sBWs69a7zKHOrEz+mKLtOWDKn3:Kfe+Zk78UKUW+

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\78d5a57484343058abc69e295c0684d956cf30ea810a04fb94f17713d520abc9.exe
        "C:\Users\Admin\AppData\Local\Temp\78d5a57484343058abc69e295c0684d956cf30ea810a04fb94f17713d520abc9.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1548
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB423.bat
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:1564
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2720
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      132624a6a5e38afcf976b4657690a558

      SHA1

      4fa999ba139bc0af894821b83b7c0ba49ba7e4ce

      SHA256

      f82b3ec29220048b3ad8e3c8f0b2dc7b303c77cc21014fa402bc030960df3ee0

      SHA512

      ab30add9589ac59abefa82d881f2cd019f7e5703ccae5f000313cd45ce96c1ec8554adf0825ccf54aabafa0b0ccd840527f24b8ac0a833bc4a859f26ad45aa2c

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      477KB

      MD5

      c32f3ae2a93a21a604cd493d86b40278

      SHA1

      4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

      SHA256

      b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

      SHA512

      5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aB423.bat
      Filesize

      722B

      MD5

      2819d109a199399ae3b4332bef8853fc

      SHA1

      85b83e66e8f025a6f3939df826eeb7d8e7d5807f

      SHA256

      7a96e4611a07e56a7450582b96f100d62ab78aacb31198ed0d0b1b679ea6bcca

      SHA512

      3e1fb2e63b660b170e2acb97d8f2f4a7e81038fc131e68e2ad7cc529c05a8e811889af56e48e36f499d8d1da061885ba2bba7c5db1933db0cd406151bb26d129

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\78d5a57484343058abc69e295c0684d956cf30ea810a04fb94f17713d520abc9.exe.exe
      Filesize

      4KB

      MD5

      99b96f7f497e9e216da4b7c9979810e5

      SHA1

      2c424f82747581db2b35673eb22ba321d573944b

      SHA256

      7c3300179b3d9ab57042a5f026a69fac3b0e2e783e94853ff109a29d2d3f541b

      SHA512

      90a0b888f474fa5505f39ca7575635a7ea839e4e23cf9d573c99d7b3b226036fb0b82e17900012aed9fe1c8b4985488e22df0421ad66dbff9d4fcf4be0455212

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      ac4d54500ddcf012f66bc5ba7530beb1

      SHA1

      375bfcd1b95696f4b1c5f93dd5621e5c16fcda98

      SHA256

      733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09

      SHA512

      076bddcb1a579a43ec3714f9396a2b3836bcb86d469c9df56b9bbc94aaf1330069c97c75081e5414faf2160b8904f357fa823c40273e64c8278059c760fa974a

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/1200-26-0x0000000002A40000-0x0000000002A41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2476-30-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2476-2999-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2476-4189-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2600-12-0x0000000000270000-0x00000000002AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2600-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2600-17-0x0000000000270000-0x00000000002AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2600-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download