Overview

overview

7

Static

static

3

4f365ad51a...a4.exe

windows7-x64

7

4f365ad51a...a4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 22:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f365ad51a22c19542a1f41c80da061b5b38b3d9b1d44c3182f18adbb82017a4.exe

  • Size

    666KB

  • MD5

    559cab5a1192442f55e1781108fa5c37

  • SHA1

    d731456f790d1224dc5e51612d144d0951714ee9

  • SHA256

    4f365ad51a22c19542a1f41c80da061b5b38b3d9b1d44c3182f18adbb82017a4

  • SHA512

    35631f524f4d7b1c612484f979caa9c28b1029333360d32320eb0d028cd35cd62c6abbcd5367d69ccd2734b71b71ab628c7651c3d712a7dd6aacb39bd12a78e2

  • SSDEEP

    6144:9+aX36IC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVg:9+aQPFlTz

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\4f365ad51a22c19542a1f41c80da061b5b38b3d9b1d44c3182f18adbb82017a4.exe
        "C:\Users\Admin\AppData\Local\Temp\4f365ad51a22c19542a1f41c80da061b5b38b3d9b1d44c3182f18adbb82017a4.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5B2B.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Users\Admin\AppData\Local\Temp\4f365ad51a22c19542a1f41c80da061b5b38b3d9b1d44c3182f18adbb82017a4.exe
            "C:\Users\Admin\AppData\Local\Temp\4f365ad51a22c19542a1f41c80da061b5b38b3d9b1d44c3182f18adbb82017a4.exe"
            4⤵
            • Executes dropped EXE
            PID:2592
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2544
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      3dc7d30c27a581e9d524214c0142ea4c

      SHA1

      b610c2fcba0a638926caf130cecca2f495a6b758

      SHA256

      1172b41a581efa3c42f4f276d12c3ba0f6bf12d44a10ef908730405ac34d8017

      SHA512

      33e40a51281741cb9ca398d18e3ccdde022149f99414cf0e41767ef99275a5171b78e33e7f716ff615c93f62ab2dfb02fb839010dcc103c2639e731a4a550bc3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a5B2B.bat
      Filesize

      722B

      MD5

      f8eaf8b163e1c41cafbd202c7d500f6b

      SHA1

      0bca627107ce5c3660a53a67a5f97723d977dcdd

      SHA256

      d4b8d518a5e05da27eed246453ff3c26c47377f073c6cd522de95a5208437a57

      SHA512

      0f1b8f15115c4a0fc89197373d06ec709afb756d2316fc878ea2b589c803ce03bead416184401e86ebb7c27612b0d3628742f90d50f6142c50ad0a2441c344da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4f365ad51a22c19542a1f41c80da061b5b38b3d9b1d44c3182f18adbb82017a4.exe.exe
      Filesize

      633KB

      MD5

      2e0d056ad62b6ef87a091003714fd512

      SHA1

      73150bddb5671c36413d9fbc94a668f132a2edc5

      SHA256

      cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

      SHA512

      b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      a2755236f492703b1085347ba4d3e29f

      SHA1

      d0a1c52f785f1a6ed70033b9a907640b77333409

      SHA256

      c388f834183f45915331318a81106b4bcb3383be08ebce9aa766191f91b15f01

      SHA512

      03c33ec7f65c401b4fb98a77d3e6909057e5665ab304723ba1450950c409710e81a0d0065b7d1f815f70488ba1461139e411457bd6cd7415c7ebced20cd32425

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini
      Filesize

      9B

      MD5

      0065cefd7e2e73322fc2b3eccc06be61

      SHA1

      fe37ea5ea5fff8019af1550a1f48b685c586850b

      SHA256

      7719e33d2deb48297f917eda88efb3ff75cd90107afdb025073133980fc963a2

      SHA512

      a92e665443eccd9f549741a8c2e17a317ce50818f14b2d8b471bdb1815718c4859607796e3bd26d7b2c5e052144098c77066dcfc91d2e72f1b7ef5db21d3486b

      Download Submit

    • memory/1236-27-0x0000000003E90000-0x0000000003E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2552-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-31-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-3000-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2552-4191-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2656-30-0x0000000000230000-0x000000000026F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2656-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2656-16-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download