Overview

overview

7

Static

static

3

359ccbf0e4...a9.exe

windows7-x64

7

359ccbf0e4...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 09:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    359ccbf0e462985fec7ac0c22317e0317a2cb2e975d0adf36a5f0615800945a9.exe

  • Size

    56KB

  • MD5

    81fb704470d89a2c7818dc28bf730476

  • SHA1

    e255822c9f49d0068f0f95461a8b5e263f9df314

  • SHA256

    359ccbf0e462985fec7ac0c22317e0317a2cb2e975d0adf36a5f0615800945a9

  • SHA512

    36693f54179295a480cf01bd66cec0e0fab7f363b741e605ac9f6b5d1c81b79af4e126023935fd1ff871b0517e7942ca5aa3521d125dcd09b6007acb7923798a

  • SSDEEP

    768:SZetyBpQFJFKZj1PVs9Ag1vzbaBrOF32zzFF+OtTDMmgqgt6jpYU5ltbDrYiI0oq:Skcx1aeg1viBxvCOt3+6jWWvr78Pxc

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\359ccbf0e462985fec7ac0c22317e0317a2cb2e975d0adf36a5f0615800945a9.exe
        "C:\Users\Admin\AppData\Local\Temp\359ccbf0e462985fec7ac0c22317e0317a2cb2e975d0adf36a5f0615800945a9.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2460
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB5F7.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2428
          • C:\Users\Admin\AppData\Local\Temp\359ccbf0e462985fec7ac0c22317e0317a2cb2e975d0adf36a5f0615800945a9.exe
            "C:\Users\Admin\AppData\Local\Temp\359ccbf0e462985fec7ac0c22317e0317a2cb2e975d0adf36a5f0615800945a9.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3000 -s 124
              5⤵
              • Loads dropped DLL
              PID:2088
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2660
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2848

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            43bfa1739684e70b8ac37598d771613f

            SHA1

            4c63ad886c0a77233453551fd3c5efb25272a938

            SHA256

            2fef6627a534bf410e4499b62424420f604c62aa3e888ddfdc7d8c275931f43e

            SHA512

            0abeb5aa554beea306557d428c26a557df176214639907fae1c6aad5dc8df29b2a19e717c7064a167fa144c8a8b7c3b05824c82d72eb235e2520b9f9b4794e86

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            c845912f3a8d7c041a8c2f00c826ff3f

            SHA1

            3c63cf9ad0d5a52f1e0fdb72fb06a6a425cb178b

            SHA256

            a74283fa88ea195ef69d1581486241feeddb28a30503cc4831bc0efac8ecc6ee

            SHA512

            4a98d7f117eb96e0ad2289161bf11868364dafa01d4301cdfb33cc1d3ac053e4d373f71b9711efe164965a0d99fd95cf4db553e6dcbb0249a89306e5149e41dc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aB5F7.bat
            Filesize

            722B

            MD5

            f8b65323384484e2d8680da766eccbb2

            SHA1

            035d9a1ccb5ed383a6a07b0b108b6aa4180cfbd8

            SHA256

            12857f450f87a18dc92339baac1fc4c41ab3d3099bf713c4e68fb07d2803d10b

            SHA512

            9fe93c02d64528f636428bf530a2ab83b6756aabc24980fd17dd06e4114649bf4aa8c560e011d690aa086ba84cc64a797d0aeaee67560d030cadf1ce42e1d980

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\359ccbf0e462985fec7ac0c22317e0317a2cb2e975d0adf36a5f0615800945a9.exe.exe
            Filesize

            23KB

            MD5

            3f9dbfee668294872ef01b90740b01d0

            SHA1

            99a4702b65485cd14736b1c2cdfb81b455dda01c

            SHA256

            40b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86

            SHA512

            0113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            55dc49ad6b8e967d55220ab3cd4cb7f4

            SHA1

            57adfd047536920c0ade72a5b3114b8e22a155f6

            SHA256

            36301fd0df79c01e64a480e4c17f58797d72ee7f948195946ffac2c5d1a65422

            SHA512

            dce127ff9b7c7dfe6ca53ba9d9fceea82531b22614c5bdd2ca0c35bc6cc827396a723f1cfd15a2450965f7598b961b41dd4270d1cb5af9b814f076931512a359

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini
            Filesize

            10B

            MD5

            291aa08828faa68893c7f89a0dfc158b

            SHA1

            fcae3d190f0d8c14b44dc2be0b627b0680d2eab9

            SHA256

            f9e79f635e09441b5a073e6263a1d1de881c2105d7637650b5ec2d20f6a7c841

            SHA512

            9c80a5e3e37731eb0eba85b496e512dbfe08c77c207bcb41ad429d289e3d348e8e7b83ef00052c445581df37aa60729a4f0c2dd3ed0ed2e5d05a8758a23f1f38

            Download Submit

          • memory/1196-33-0x0000000002D50000-0x0000000002D51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2348-12-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2348-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2348-17-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2348-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2976-37-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2976-20-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2976-2967-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2976-4158-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download