Overview

overview

7

Static

static

3

8f224eafaf...ec.exe

windows7-x64

7

8f224eafaf...ec.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 07:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8f224eafafbf0dea304cb787d4fe5ec34202d95a81b4e4f6ed17627c91094eec.exe

  • Size

    3.7MB

  • MD5

    3781c8a88560688cba6b0dd43e213e38

  • SHA1

    bda1cd28225e8e7421c8939a78dada1b2e6f73fd

  • SHA256

    8f224eafafbf0dea304cb787d4fe5ec34202d95a81b4e4f6ed17627c91094eec

  • SHA512

    957f2d8f496a32e1ea771b6628cd9f1833769fbd60c24b1992b6ba2bc54177d42d86bd7854d4aacafc5d3d2cb680ec956504eb077e9b190c43bddaf06c2efc61

  • SSDEEP

    98304:ZYOXwnS4rV4zwsAFzX/j9Tz5dmRUcfT/j9Tz5amRUcfe:+Idw/jF5rcr/jF52cm

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\8f224eafafbf0dea304cb787d4fe5ec34202d95a81b4e4f6ed17627c91094eec.exe
        "C:\Users\Admin\AppData\Local\Temp\8f224eafafbf0dea304cb787d4fe5ec34202d95a81b4e4f6ed17627c91094eec.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1636
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2956

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7zG.exe
            Filesize

            4.4MB

            MD5

            ad5e60d0b716e6bc9e7379405a063aab

            SHA1

            3cf2f63914017300828ae2cef92b5fa14b859290

            SHA256

            8d244a7516cf47ab1b09724f70beb475c7477f81c03923f6873cf8e90b4612c6

            SHA512

            2897aa946fbec3b7c3a7aa15d57dda01da79de5fe1f2f3cc702347f7745172d68f0e3646f233ec68fd9c5ca3dd4cb18deee4c3c78653c2cbd8622e25e5c517e1

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            4.2MB

            MD5

            b8ea5098d9a872a9b7040aaf96fe90c1

            SHA1

            52767f7d9f7e6802a71e2aa515470b25605d08f3

            SHA256

            729494e1c537e2c2356eb2187a9f0f4976cc5f29d6082e3bb94c9d1063548313

            SHA512

            6a60e195993c687921b498e1d9474c4be3510913257b414b63e824466feb9209bf076e377c008f852e256597448b034489a383a1080d7c04b0c331af0db1e34c

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini
            Filesize

            10B

            MD5

            291aa08828faa68893c7f89a0dfc158b

            SHA1

            fcae3d190f0d8c14b44dc2be0b627b0680d2eab9

            SHA256

            f9e79f635e09441b5a073e6263a1d1de881c2105d7637650b5ec2d20f6a7c841

            SHA512

            9c80a5e3e37731eb0eba85b496e512dbfe08c77c207bcb41ad429d289e3d348e8e7b83ef00052c445581df37aa60729a4f0c2dd3ed0ed2e5d05a8758a23f1f38

            Download Submit

          • memory/1216-3-0x0000000002570000-0x0000000002571000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2084-0-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

            Download

          • memory/2084-7-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

            Download