Overview

overview

7

Static

static

3

d37035e45a...b3.exe

windows7-x64

7

d37035e45a...b3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d37035e45a26283ef6a130c3f6fedd4eee3afde22dab3b441950cd1e8ec305b3.exe

  • Size

    306KB

  • MD5

    815f4dd630dc087db94ebe56dff7ed40

  • SHA1

    7a21c31affd50241cb19de3c807cc6c63bbd34af

  • SHA256

    d37035e45a26283ef6a130c3f6fedd4eee3afde22dab3b441950cd1e8ec305b3

  • SHA512

    78b4e5110944f8a9e31d041b269a65e4e492fba4e44c3c8e40e211094ed4f36a0aa11fd570ceb165f1ddb10328212a3643795c57f10355b2d8878060700e54ea

  • SSDEEP

    6144:c+aX383ObiZKDAX0jH0o2zq9DmQ3LOotL4gr:c+a8ebiZKm4H8zq9Fjtdr

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3340
      • C:\Users\Admin\AppData\Local\Temp\d37035e45a26283ef6a130c3f6fedd4eee3afde22dab3b441950cd1e8ec305b3.exe
        "C:\Users\Admin\AppData\Local\Temp\d37035e45a26283ef6a130c3f6fedd4eee3afde22dab3b441950cd1e8ec305b3.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4396
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a783D.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4988
          • C:\Users\Admin\AppData\Local\Temp\d37035e45a26283ef6a130c3f6fedd4eee3afde22dab3b441950cd1e8ec305b3.exe
            "C:\Users\Admin\AppData\Local\Temp\d37035e45a26283ef6a130c3f6fedd4eee3afde22dab3b441950cd1e8ec305b3.exe"
            4⤵
            • Executes dropped EXE
            PID:2956
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3616
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3404
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      e02a26d5c40ba99e0dd41bf5283f0a89

      SHA1

      974aed12b49db8fd18494a80d2de9a73dd98e594

      SHA256

      2f8f7e0cb11eac3e0ed40c10d931d225e43e8a7b47d2043c1126709b809f1f05

      SHA512

      68566c219e68a07608a7ce9d2cd1124ecc82fe5272087637c61393e51c9afb60d939f84c0c2b03bab6ac239fcdbcfb93fa1b0ff80c2e6531cfbf55452b3bb49f

      Download Submit

    • C:\Program Files\StopClose.exe
      Filesize

      368KB

      MD5

      d446195c7bc37fbdd3e329c0b737d50f

      SHA1

      ea437300d74845ec3aef4822ae0790584d0af5c6

      SHA256

      e7310b51bb7032dc3515b8402a382691cd3a22d4baa602310a08083dd6c01b0d

      SHA512

      b1483479a441bc49c6a3f03fab0a232439866ea1f2139ebdd3711e6b3e1eaa9bea8c1bac3618dd874b7cf695cb1f148612fe2998d8728a431b012c64b870eab5

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      c0057db68dfd75cccab3b14a084dd427

      SHA1

      75f6f857332903754df4c73bb1a22201a0f5fa94

      SHA256

      a248fabffb80434c968c6878a53560b86c15015b2a567ecc26d7405786b665ab

      SHA512

      369739ca80ba57d97a3c3a15fc1b5b30d1b111a8450510c8dd32e7768a68426e10bcece74754b3826a437cd05b6eb70ad882a092aafb85f72b9072779d485854

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a783D.bat
      Filesize

      722B

      MD5

      40600809440c83509096b197546b52b6

      SHA1

      dfa69a3cb6eca996086bf2571db08170e48d3f3b

      SHA256

      f8a07a1710b6458eda22e450f7ffffcec2333475db3938c0ce0811a67c517063

      SHA512

      9167f9d20551a7ca3371ef03577c14b8fbf75572621c589f9e9a8787ccd047f9304e5b143a6d0038f0ddcb58a713acab69476f2895e0d395575f5689be8390ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\d37035e45a26283ef6a130c3f6fedd4eee3afde22dab3b441950cd1e8ec305b3.exe.exe
      Filesize

      273KB

      MD5

      55e392d1bd55a1292b6ce766225416e5

      SHA1

      06d8134a3002e6974407fb5da0a59ab43415a52a

      SHA256

      db42cb95904cfc6891df2aa736506fb34a26cf9a26e88ab0ef262e0459344a3e

      SHA512

      0c55062cf8debbdf1a7a4f41527e43cd124fb7777e9b930de9cc900abf9c27a1956a536200e23dddc9a4068ac5bc9a8052299a4f2cf010cffd205a32d99581a2

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      fac489180a927456fde29aa70b6c863c

      SHA1

      b7638615678d7137f7c9a8ab01952fd6266730d0

      SHA256

      e888702980111bdea63056293f56946432701aac652c474a5f8614a137e021d7

      SHA512

      cbe953def68f48b32003143d8980b0443c46373395d31ceab62192cb0d2a97d45428e950f54f03b507b9e39b12770c9701e2b5de6e1fda1ce763a9aede7e6682

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/2032-11-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2032-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2644-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2644-3403-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2644-9-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2644-8756-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download