Overview

overview

7

Static

static

3

18add224d4...16.exe

windows7-x64

7

18add224d4...16.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe

  • Size

    11.1MB

  • MD5

    370f2453f520c4e6d76ae5366e3cb22d

  • SHA1

    65e7cfe6c0b39bdff3dff4bffc15331496a64025

  • SHA256

    18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516

  • SHA512

    10f05f0f1ce550f2d8f05eb630e87a6edfee5ef12f5926f1ff9feff7e4e4ea773b5ea6f30e38d293cdc4e70d017b6105dbfd40edf52405dd9ce46ef31759a00e

  • SSDEEP

    98304:Rb+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:h+kIGv3y/x+KTbfjJ+kdnAlejY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe
        "C:\Users\Admin\AppData\Local\Temp\18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3128
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9CBD.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4464
          • C:\Users\Admin\AppData\Local\Temp\18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe
            "C:\Users\Admin\AppData\Local\Temp\18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:184
            • C:\Users\Admin\AppData\Local\Temp\18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe
              "C:\Users\Admin\AppData\Local\Temp\18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe" --type=collab-renderer --proc=184
              5⤵
              • Executes dropped EXE
              PID:880
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4228
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4060
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      35d697f22154517431bff4aef9cbeba9

      SHA1

      4c58ffced9006c2dca9df53859eef7281b6fcbf1

      SHA256

      a1a7363d2c4656166395fb0f1cf02dee63b1124731fa33ed2d3858dfa5a46c8b

      SHA512

      eff00154b810f4ae59f099c419c0828e1dd992a31fc677c11ceb4702cc250b025226c76e8ca217acb4e3637d18884edeaee5004c9f73701160f17e5a187d1dcc

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      c08994604c02bf7431e4c46295a779d5

      SHA1

      7f526582e292083589253bbc8b2cd093b2229ff2

      SHA256

      218bfecab8804a634b05ebcedc30eab7aa8fa8ed5775495ba9545517c311f00e

      SHA512

      13d9b746d0fe6922ecff9b5bf0ac896a63da11610341d4a7701e2a8d8fc5c0511d7bd9f4f54d3756b770998601b4f7b39b7e5c36d824dd42470fb0b499065c34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a9CBD.bat
      Filesize

      722B

      MD5

      d71599e29101b3e39b782c8e23f5a09b

      SHA1

      eb265e7e8f5ad51199f52c9bac9214c37d8945c9

      SHA256

      faada73cc1084cd7401778b2480acc32b637e014fb8d04f457b183a79d53879f

      SHA512

      68ae386d160ab3962f07b2d33c57e7ad79b6304daa7de3fdf9b4098fd2e4cdc1128829036f04e1e2cf845b8447d4049b9b38145b3c90f9b15dbae7ae8a367cc8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\18add224d40d3c19f4656c8865d0d70cd8fcbdd09f5363853ed843544a255516.exe.exe
      Filesize

      11.0MB

      MD5

      b45b7bd6eb92c5b65378d8d0a0964747

      SHA1

      5ca6f198ac83c90496110259b57ff4a5f47b64bb

      SHA256

      5f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0

      SHA512

      bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      d0d93baf58f7cc1c190714eb1e01de67

      SHA1

      6f08ef9e2427e845eb7d94187d8beea81db3f623

      SHA256

      1e582660108e00a93b4b3d29eeca01300f61d8bae6ea84a28f03acb45e9ec557

      SHA512

      ef68509aa8032ff1e2cc25ddc34c0fbe69b3bd18c35c915362cbe10a699dfae9e279b586346bfade0b88960c99726dcf984fddaf7b0e91d2861472fb237d22ba

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini
      Filesize

      9B

      MD5

      e92b0dcf7d27eb997606ca871d866c93

      SHA1

      69b76ef532ec922985b95329dbc5133f8d9fa994

      SHA256

      d0caa78610c77bb9fda1e6430ae7d9859d955dd9b19d26d12e409c8a39e24053

      SHA512

      8ea4006e99155f3821e05771cd80a7b2172078f77f2d1fe5daac4089809d94bad706d11a1af95ee3ea8d66959e65fe415dee8199ea7e1bf17d0b9f578cdb25ee

      Download Submit

    • memory/3936-8-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3936-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3936-3270-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3936-8735-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4792-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4792-9-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download