Overview

overview

8

Static

static

3

b220966510...08.exe

windows7-x64

8

b220966510...08.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b22096651025516bb7a51e1865f089c994f104a9c3d000acaaaff1f691aa8508.exe

  • Size

    667KB

  • MD5

    288ef612d3573417f1f03e3d3cf06359

  • SHA1

    ad8a5ea286a28afdb3fa1d8194c637d2fb6c2cdb

  • SHA256

    b22096651025516bb7a51e1865f089c994f104a9c3d000acaaaff1f691aa8508

  • SHA512

    5e094e325923b2a85ad8425c8c9b24f4b1135e3152109360c1c44a1f271ed39cfc7332f9e8f962ead6a2dcbc5d3eeffc26a30f17213fc94951b7077cfbe4bd06

  • SSDEEP

    6144:+46tGdye419C9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcd+:+3NbyPFlTz

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\b22096651025516bb7a51e1865f089c994f104a9c3d000acaaaff1f691aa8508.exe
        "C:\Users\Admin\AppData\Local\Temp\b22096651025516bb7a51e1865f089c994f104a9c3d000acaaaff1f691aa8508.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE1B8.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:916
          • C:\Users\Admin\AppData\Local\Temp\b22096651025516bb7a51e1865f089c994f104a9c3d000acaaaff1f691aa8508.exe
            "C:\Users\Admin\AppData\Local\Temp\b22096651025516bb7a51e1865f089c994f104a9c3d000acaaaff1f691aa8508.exe"
            4⤵
            • Executes dropped EXE
            PID:2836
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2692
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      0fdcc6bd740af4d6329e377f62bd8e1e

      SHA1

      bf868580605a849d7fba31d4fb831eb7ee96050f

      SHA256

      915c6c4850fac144b883649447edb4d824864a0441dd3f93ce2da66831411936

      SHA512

      65facc07eb53d8aadcc7ee7dc546ccded542a233a7155bf19806efb83e09dd1ce96fc149311ef4939157f012ae4b9b12d254f9979afabb3195a88a46c5efc17f

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      221886d1b103525fc407c8fed3ab083e

      SHA1

      965d60f0b645def3fdc5dc1d0178b6bfee45d941

      SHA256

      12b9b8617c5633e47953da144c80388512ee9a5fcb4fe7d0c143a3bc08e90458

      SHA512

      f5f7aea322a28570dfa57b5344002759e043b1f0e2806d95ee2492f6fe6a8a3cd5a9f8817cd4714cfa9f90fb219613654f03ed5b7e4ccf7b0761d9f945485348

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aE1B8.bat
      Filesize

      722B

      MD5

      70dcd44844e33069e770f37ad2f4764d

      SHA1

      bd68dac544000ed3e47e51a374cc25cdc9de33c7

      SHA256

      54a22df9c242eb08ae4a29745c8ba05723f46e00e35b80ab34b18d0a68a71ec7

      SHA512

      8fe1aafcf5ad1a1570355f1387382f958e45d1b3fdb44e564b30e19c875fef976cd4a70505e919281a4865c6b79a26f2c9157f49fcf741cc118cd7541d891fb7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b22096651025516bb7a51e1865f089c994f104a9c3d000acaaaff1f691aa8508.exe.exe
      Filesize

      633KB

      MD5

      2e0d056ad62b6ef87a091003714fd512

      SHA1

      73150bddb5671c36413d9fbc94a668f132a2edc5

      SHA256

      cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

      SHA512

      b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      70f51571d196ca89788744cb11628b5a

      SHA1

      148e4c93f8abbbfda3fa091300aa6bba04eb780a

      SHA256

      96ee6d4ec602223ca5b9cb926c7cf00eab1aa6effb3596dc4aa99788aa0166b6

      SHA512

      155bd38f218d32102c871015daed1fe0f00ab74870c4173f2b237e6761eb05acf46b988ae6e56d5df82fa122d7035c35737c48f26c30e47ebfd5f8967cb76cac

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini
      Filesize

      10B

      MD5

      1603436fb34d76c51d66ab1816519131

      SHA1

      3d5dc4ccfe3cc992c253dccfccf66ea727f66bf6

      SHA256

      9072a674ab684ff3ef851bf4f0fdc4118d2bcbe765282f38f3f6de4360057d60

      SHA512

      30d89b59822313e4b281b8f63b959f36262b2b948cf38e6389e9a1a7517c7c239349a41de9e35c8cd27d6b852ab5349206c2fb85b631dc59fab5421d997dbd46

      Download Submit

    • memory/1216-30-0x0000000002570000-0x0000000002571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2072-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2072-18-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2072-17-0x0000000000230000-0x000000000026E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2652-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2652-2963-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2652-34-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2652-4153-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download