Overview

overview

7

Static

static

3

f0d152e00a...d2.exe

windows7-x64

7

f0d152e00a...d2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe

  • Size

    86KB

  • MD5

    f228ffb8bc2415cfbe6cd994a9ba5236

  • SHA1

    a294b01ca0857e264e8a7dcd72325d96085e35ca

  • SHA256

    f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2

  • SHA512

    0317f03a2f39c6e72db742de4cc2f5be01c5646594c3476379d678cb6f5a564d6f9d4cad2897caed3c2ac91246789deb149bf04570e6cd0f834c290fe2494c85

  • SSDEEP

    1536:Kfe+Zk78UKUWQRbUi+QLcnC/ZMaRiIu/r:Kfe+aWnCRMaRiTT

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1240
      • C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
        "C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1172
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2408
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a93D7.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
            "C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe"
            4⤵
            • Executes dropped EXE
            PID:2808
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2716
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      132624a6a5e38afcf976b4657690a558

      SHA1

      4fa999ba139bc0af894821b83b7c0ba49ba7e4ce

      SHA256

      f82b3ec29220048b3ad8e3c8f0b2dc7b303c77cc21014fa402bc030960df3ee0

      SHA512

      ab30add9589ac59abefa82d881f2cd019f7e5703ccae5f000313cd45ce96c1ec8554adf0825ccf54aabafa0b0ccd840527f24b8ac0a833bc4a859f26ad45aa2c

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      477KB

      MD5

      c32f3ae2a93a21a604cd493d86b40278

      SHA1

      4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

      SHA256

      b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

      SHA512

      5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a93D7.bat
      Filesize

      722B

      MD5

      23d8f1bb7bb51a6ce69d175e527c2c09

      SHA1

      5ea38f5c8bd45f0954168135f764d94a55016203

      SHA256

      27899a3f7dd19a107b28c4c9e35eaad972871b8dab0e7f155c5d6a7e6bc2ba2e

      SHA512

      0f188c0168cce0aa2c53310d21890c7b5cb7ad86a44a93af02de62d1d9614510ee99a0446417c4fddf7fa8cfa0c05ae34fd30056b3b66eab2f4942eb9c71d682

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe.exe
      Filesize

      53KB

      MD5

      87912631f20ab91421228cd219922519

      SHA1

      71a90e384de55c6f5257466e53f6c0add270a01d

      SHA256

      fcfdb5e2601430a674f599e054f65471e42cb18f8484aa8d8eb38f0c6f4e9c6d

      SHA512

      0843a6a6a1e7e6d394db8d939e5e11ddfbed917e262dcb41fddee490d7e1657d45edd93fa2e734a6d8419b2f935ef53c0185d626a83ef1e7d53db8e261f8fc8a

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      ac4d54500ddcf012f66bc5ba7530beb1

      SHA1

      375bfcd1b95696f4b1c5f93dd5621e5c16fcda98

      SHA256

      733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09

      SHA512

      076bddcb1a579a43ec3714f9396a2b3836bcb86d469c9df56b9bbc94aaf1330069c97c75081e5414faf2160b8904f357fa823c40273e64c8278059c760fa974a

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/1076-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1076-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1076-19-0x00000000001C0000-0x00000000001FF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1240-28-0x0000000002520000-0x0000000002521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2332-32-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2332-2806-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2332-17-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2332-4191-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download