Overview

overview

7

Static

static

3

75ba5da483...4N.exe

windows7-x64

7

75ba5da483...4N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe

  • Size

    131KB

  • MD5

    d7721bcd76bca30cfdb61e716fd71910

  • SHA1

    2265f8141db33b9f88676cd10975aac8c54af9cc

  • SHA256

    75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4

  • SHA512

    198af8aaa958ca3041fb20d25d984891cd03fd7a83d2ddd23234688441bf0517bcb2ab868c97230b89a742137533965ba19d88d2fca46165d6690bfc84413dcd

  • SSDEEP

    1536:2+psrz8GvnGRR8Bftg+9t/p4QAILJuCOPdvX/ZWOtnGWxlP:2H8alvgmJAIlwPxX/ZWOFrb

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe
        "C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a98A7.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe
            "C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2776
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2924
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      7a78a60870f997c92f07e10084437cc0

      SHA1

      57adced696153502fb16b58f94c7f49c358b10ff

      SHA256

      856124686f939bbadc5642319cea52c913e32f68b35566c67e72f3edd0af9b17

      SHA512

      c9cf0dcd7606ac86e44a5f7ecd74f3986a3f35f1d727a838ab372b1a757699c8baded5bf5975f60d1c8411a7d157aa83acb8fa37ccd67b9db3dacedbac37d6e6

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      8ef1a94c2988444c9d5d6c36a63765d3

      SHA1

      d566ce1693e16fd605afcf2c5ea87af57af56197

      SHA256

      ab3dfdf37c3eaae2dbeb15b4e6be3659187e8e3613450664160702c787cf1623

      SHA512

      991fc8c061d831e96f6e061ec85f6d5c2aa7e7380a949bd04193ef6b0f8d495a462bf6b9bcafbd2893eefa0195bf4a191a923c36f4845e6f44a86be1e1ded45e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a98A7.bat
      Filesize

      728B

      MD5

      e391e5bb128bc03c19b9daa3ab701b6d

      SHA1

      e5cb000cbe3b1fc09648ff61227652f59540eae2

      SHA256

      ecfec97a2ec0be466388d70265a11adeb19f2d73b366764f20cf05403dd0cda0

      SHA512

      121d5333225f5cf46581b661703994e489a710a8b6b07aa4b14304313b4a505311979bbb2e9d87895e82b70e5601f51736fbf3fd0c8bfacc5179c88691828b2f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe.exe
      Filesize

      97KB

      MD5

      713a30695b671b6e3b19b7d09f9d8409

      SHA1

      83916537c86d7dc1043c752f195f04fa42813afe

      SHA256

      6b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08

      SHA512

      a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      9fd9ba751e949c130d66fe9a3ea6248d

      SHA1

      c39ed606f3afb966b21147079c8c7407732cd29a

      SHA256

      1b6840fc07e4e63f663e72e82e7d6dfbcead0894ad5103a500b1689cc9d4eac6

      SHA512

      f2fca4862e5abd737f4b8d2b43246b15f4e0029159e90a100baa44a54468734bdbaf3b348dea18ed8c4d953183a4b9fd42c5918b71263d6ae8bea6f7305b17f0

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\_desktop.ini
      Filesize

      9B

      MD5

      77ac50871f710809bbf0957e178463e4

      SHA1

      68a9ba0d760af28367efc9773999b978de998a12

      SHA256

      36309483344452798a5953f04265f59efcf323ec5d55ea7f0916449b12d579c1

      SHA512

      3adbde7746af2187e13878b8381313d555ff78f697650a608d38acde761e3bf3827515ea70fb6ea45520d806621565e93c3c8c8e4d2760c463747d1b0a3c8aeb

      Download Submit

    • memory/1192-29-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2336-32-0x0000000000270000-0x00000000002B0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2336-17-0x0000000000270000-0x00000000002B0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2336-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2776-25-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2776-35-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2812-33-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2812-2964-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2812-19-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2812-4156-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download