Overview

overview

8

Static

static

3

455f8769c2...b8.exe

windows7-x64

8

455f8769c2...b8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    455f8769c22885e1f550191301912529d96a1bc5eb94597c839f27a7e0b832b8.exe

  • Size

    322KB

  • MD5

    5ebce2c2fe17184e4629752b50d2169c

  • SHA1

    6d85072a5c1e38467343d7aeb50d7743183e3c5b

  • SHA256

    455f8769c22885e1f550191301912529d96a1bc5eb94597c839f27a7e0b832b8

  • SHA512

    2b7fc24854d46537f9bee0bb2c75331f823b67afdf70c0f1b0ccced78aa4b850b04ba5d39b20125b6de4a5958ef026d0f89d7c86fef507175a730feb9bcde82f

  • SSDEEP

    1536:JEaYzMXqtGN/CstC9qVFB9aJfXgY1zUTyr5hVM:JEaY46tGNFC0VFB+XgTTSje

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\455f8769c22885e1f550191301912529d96a1bc5eb94597c839f27a7e0b832b8.exe
        "C:\Users\Admin\AppData\Local\Temp\455f8769c22885e1f550191301912529d96a1bc5eb94597c839f27a7e0b832b8.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a474D.bat
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2784
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2736
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      5e7a367c344024963b61ee3bbdb92e9d

      SHA1

      af64550db27d9905bf6451fc94c37d5205ec23ba

      SHA256

      0ab7c4fd1c417e3eec1ad697ee9024ce81e6a36d408139d1dbf29002085f9445

      SHA512

      4abcfc3afe54176e493f162b8e6d194ae1a74d05569939d9c7f49bb717a6f39c71355dc2d884454ad0a9102797c0e86e99a86500fc707aee89fc8d9c172b4daf

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      e3d7f6cbc53a96972587f05acd5c0ca0

      SHA1

      e12f124807a30188da6157d4423775373c668dd8

      SHA256

      75db003d5fe6855e432e4ccaf8720890f181c3dc9d800b253508aebabfde2da8

      SHA512

      ea783b525ebf1fa786d06051e64c72efa9665aaaa0e456c99c3fb80298066491da47d9056f7046d35d4bb3165ac2ca85eac9c9a9331923dbf56937831a9bc078

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a474D.bat
      Filesize

      722B

      MD5

      a0375d815e76248188799f57d6ffd062

      SHA1

      cd047f0554b8c488fc06b31ac7d04c953d82bc32

      SHA256

      be11f8c0a7842de931040c253089e8b30bacde0dcc7dca2d4918508de4f5b9e1

      SHA512

      671330ca4b9897f77ecdf7fc3cd7dc17d11bf49e2f8eecea140b791c9d05576b0e02fdfc31a420b88ad9156fef7e227888884f20de586a46776cc803ced9d3cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\455f8769c22885e1f550191301912529d96a1bc5eb94597c839f27a7e0b832b8.exe.exe
      Filesize

      288KB

      MD5

      01bbe782a1da233c59881ed2d18f4f06

      SHA1

      723d4dfdab2b477633455d4775e32bd52f081c7b

      SHA256

      7ded5e3c9c066789a50305a048639afeab4dffcc9673ae7f1092e5af7c6a91b1

      SHA512

      492b202ab850c4f120c4ac7854bf7e7acc865505679d8973736ed3ea28f4b77b645c8a15d806805064ebc81ebd1b4bf07e1fd4023307673d3ce4b81d49c7d175

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      59da86273cbde98e3fb6274e3181834b

      SHA1

      24b2e7d415d7f4e40ec6420f0e88cb401165b64a

      SHA256

      853e0659e3f3c5fd81de6edcebb97b388b0006f7c78b514cd2aa93aa1d97f724

      SHA512

      3534114ac7de80b2f6c5794109a7f89386b86df095799844353530384f113e63bffa6a85f445f5c1a825d45740631b95c80a0612d8a2a1964469207df6615f41

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini
      Filesize

      9B

      MD5

      e02899454c67c7d6d1af854fdcb53b67

      SHA1

      26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

      SHA256

      0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

      SHA512

      e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

      Download Submit

    • memory/1252-27-0x0000000002230000-0x0000000002231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-31-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2228-1510-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2228-4161-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2228-9286-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2664-13-0x00000000001C0000-0x00000000001FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2664-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2664-19-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download