Overview

overview

7

Static

static

3

a841fc014c...85.exe

windows7-x64

7

a841fc014c...85.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 13:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a841fc014c00eec9c2d2f58d561a53549f95e7319346e9925c1f58ea23c6be85.exe

  • Size

    47KB

  • MD5

    c1e2cd8de32de2d44441bbe1988f0af3

  • SHA1

    daff69b74f2814bb4db2ca791992cddb11c4dd76

  • SHA256

    a841fc014c00eec9c2d2f58d561a53549f95e7319346e9925c1f58ea23c6be85

  • SHA512

    04effc1bd4467fafb6167253d6f9f9fab3a6cda1e0aa3f2c3c173b3745c9d33438edbb2e559bca13fb8169faa75d7f6bce91cf4cf893d967421830389d6a7535

  • SSDEEP

    768:IvO5RroZJ767395uINnEfDKBbUCp1OTZ+/VJWQ3655Kv1X/qY1MSd:Ive+Zk77RNzLiTOJHqaNrFd

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\a841fc014c00eec9c2d2f58d561a53549f95e7319346e9925c1f58ea23c6be85.exe
        "C:\Users\Admin\AppData\Local\Temp\a841fc014c00eec9c2d2f58d561a53549f95e7319346e9925c1f58ea23c6be85.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a974E.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4284
          • C:\Users\Admin\AppData\Local\Temp\a841fc014c00eec9c2d2f58d561a53549f95e7319346e9925c1f58ea23c6be85.exe
            "C:\Users\Admin\AppData\Local\Temp\a841fc014c00eec9c2d2f58d561a53549f95e7319346e9925c1f58ea23c6be85.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4968
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5020
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3344
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4896
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3656

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            250KB

            MD5

            6d352348fdfd69c04b66abc3216c61b7

            SHA1

            2ccfc99572573ea8b3e941d2d0ba21150c5f7230

            SHA256

            830d0c74334a2d6a589bbd4761e210d71e8dd376acd96a4030baae51a2c24fe2

            SHA512

            06cd378b1517dbd0009abf87b517fdab0e2f0c5f47b661081ecabca4bcc6feb29837bdbdd678ae9fff08f28821fc280c82d5848e0572996b6bf116a0bc1bf231

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            3a172058fe34b8071a886f7201dd1c45

            SHA1

            22454cce666f13da497a1e66358ff3d1c0a96336

            SHA256

            15db6b8b789fee46fb8274b90216d225d0a294e5ecacb095ddc812efd22f399f

            SHA512

            ef3d6e0b4fe42ec1607ca37380ac850392e1ed6e72c52ecb3214597ba9f03b823112e16a1664d85c02216ecc33940bf53eec8c0b96bdf3337349e8006b2c35f1

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            e0725f04ef2eb236cf23dbdc14d512a5

            SHA1

            ef9875c8bd15d6c9cdcb0a4025470fae9e0d00b2

            SHA256

            ca3e9560c3c22fbb4efc142647d6918fe315dda96b5e00c9f0431f55ca97bcaa

            SHA512

            2dacc3b71e320017826ef563affec0c895cdda9cd293b6814df20aefa5d936e6fbed1d387f9224e533f473243ecb6ea5865d0919f56459c6c3e014e07d241a4e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a974E.bat
            Filesize

            722B

            MD5

            b7eddd37c5ebaa8282893dd68bdfcbef

            SHA1

            6c32c51a7b25785dd54185ed1b27bb6842d48cb7

            SHA256

            d668298bd9fd76ea4873b2b5352f3d5c085b26a4cd36fb0275601916ab162692

            SHA512

            7a18148aa653da2951d2560fd040ebb98afb5928f2beddda6b5355eef26057d53d410f5e92e2ed798cda7152303cabf6beb14364ae5dd1fed689a7a97909367b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a841fc014c00eec9c2d2f58d561a53549f95e7319346e9925c1f58ea23c6be85.exe.exe
            Filesize

            14KB

            MD5

            ad782ffac62e14e2269bf1379bccbaae

            SHA1

            9539773b550e902a35764574a2be2d05bc0d8afc

            SHA256

            1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

            SHA512

            a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            07fea4ec486b99416c9b588285c81d06

            SHA1

            842a874a212fc1b58ead782251f286babc151ada

            SHA256

            d1ad05b9d8babf31e05639334f120109d33242866009209ecf68397b71f9e4a7

            SHA512

            64ce4e97be8b1afea9def07b2970470e23b812fa81884fd2d3f2f1ee29699bbff4e9025804e49d2404299c2a690942f50620d5c03f84c0afa538069af73ca355

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\_desktop.ini
            Filesize

            10B

            MD5

            291aa08828faa68893c7f89a0dfc158b

            SHA1

            fcae3d190f0d8c14b44dc2be0b627b0680d2eab9

            SHA256

            f9e79f635e09441b5a073e6263a1d1de881c2105d7637650b5ec2d20f6a7c841

            SHA512

            9c80a5e3e37731eb0eba85b496e512dbfe08c77c207bcb41ad429d289e3d348e8e7b83ef00052c445581df37aa60729a4f0c2dd3ed0ed2e5d05a8758a23f1f38

            Download Submit

          • memory/2560-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2560-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2868-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2868-3217-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2868-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2868-8903-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download