Overview

overview

7

Static

static

3

75ba5da483...4N.exe

windows7-x64

7

75ba5da483...4N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe

  • Size

    131KB

  • MD5

    d7721bcd76bca30cfdb61e716fd71910

  • SHA1

    2265f8141db33b9f88676cd10975aac8c54af9cc

  • SHA256

    75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4

  • SHA512

    198af8aaa958ca3041fb20d25d984891cd03fd7a83d2ddd23234688441bf0517bcb2ab868c97230b89a742137533965ba19d88d2fca46165d6690bfc84413dcd

  • SSDEEP

    1536:2+psrz8GvnGRR8Bftg+9t/p4QAILJuCOPdvX/ZWOtnGWxlP:2H8alvgmJAIlwPxX/ZWOFrb

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3524
      • C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe
        "C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a833A.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4716
          • C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe
            "C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3432
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:836
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3132
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:428
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      60268b7b1db590bd8be291cd1cbecd45

      SHA1

      2b734b43bc488992dddcfdc6d8c218a3573e1e8e

      SHA256

      f9161f95dd8e9275df931e118b856b98b0cb9364a879a8e3da1e05e2af9b3589

      SHA512

      ac4188bbeef37afc9aadbc3a87920dd6548b88dd7544eba6f3b6e81c867a9c390a9e8de2814ef5e4d30652faebb807eec01bc44acccf48fc63cc2b79762b4f07

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      25ca0916c72125a8313ba64b101fd969

      SHA1

      9395d8a9e44400208b8479b23521b69478e5441e

      SHA256

      24ca419f3ef5d9b126e5c8a8dd04493de280adbda0a9f14e8a694d7ee6b6222b

      SHA512

      de5482d5dd6fd7a00452ffbb5eb1b4c29d9f18d150092f8e610b51a70f9b9a71ab1576bfac267a6c5ae1656055f6ddf2e7c436b366f75800edeb5e08bba7c26c

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      9044b8cb7dee805474f46fdff328cebb

      SHA1

      1cabc4c6c2c86cbb78765bc9dbc34fb343a473d2

      SHA256

      62fedddac5d2bc0012582f6d5c8a62f1cfeb146338ded33892f3e2e9a3080618

      SHA512

      4c3baf797abb9745bd194cb39da4f7541273d5ceb694929e562b3823118a8851a9b5dde4379d3936ca8fc233339560f7716518a62b421a2fcfe228d1037d9753

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a833A.bat
      Filesize

      728B

      MD5

      2eb76a5b98fb0b39ccb572ce9057799d

      SHA1

      03ed7596038c759baeb356232e2a94a87c16a405

      SHA256

      6b4c984ed1ede9096ed1826a7b485e4ae4c9a3cc8295543e8e0893f25b3cebc4

      SHA512

      2830ffa4f94927c8d622018f817ee033ee91062ca8761e01ffe701e76a71f5dc39abb7fc9eb9a70df41eb4833a0726a3b6d8dc99fad4e19ab40fa4e138f14750

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\75ba5da4836e5b018790f563c0c292367f579feb37c07742480285bfd45fc6c4N.exe.exe
      Filesize

      97KB

      MD5

      713a30695b671b6e3b19b7d09f9d8409

      SHA1

      83916537c86d7dc1043c752f195f04fa42813afe

      SHA256

      6b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08

      SHA512

      a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      9fd9ba751e949c130d66fe9a3ea6248d

      SHA1

      c39ed606f3afb966b21147079c8c7407732cd29a

      SHA256

      1b6840fc07e4e63f663e72e82e7d6dfbcead0894ad5103a500b1689cc9d4eac6

      SHA512

      f2fca4862e5abd737f4b8d2b43246b15f4e0029159e90a100baa44a54468734bdbaf3b348dea18ed8c4d953183a4b9fd42c5918b71263d6ae8bea6f7305b17f0

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\_desktop.ini
      Filesize

      9B

      MD5

      77ac50871f710809bbf0957e178463e4

      SHA1

      68a9ba0d760af28367efc9773999b978de998a12

      SHA256

      36309483344452798a5953f04265f59efcf323ec5d55ea7f0916449b12d579c1

      SHA512

      3adbde7746af2187e13878b8381313d555ff78f697650a608d38acde761e3bf3827515ea70fb6ea45520d806621565e93c3c8c8e4d2760c463747d1b0a3c8aeb

      Download Submit

    • memory/388-10-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/388-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2576-19-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2576-3142-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2576-8-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2576-8784-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3432-21-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3432-15-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download