Overview

overview

7

Static

static

3

9b450bcab1...0c.exe

windows7-x64

7

9b450bcab1...0c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b450bcab11dce8849741a314124ffb0539234b6cb0a6227a6afe24e66c46e0c.exe

  • Size

    11.1MB

  • MD5

    efdd0d2a7197a76880f47be71601a763

  • SHA1

    0dbb48289bd48e8044255a3ce4f2d84d7c3a4144

  • SHA256

    9b450bcab11dce8849741a314124ffb0539234b6cb0a6227a6afe24e66c46e0c

  • SHA512

    f3ea215145cbae8fa3f0697c0f9ca4a234c0ba01aefae24e028e91e9059d823337545bd999db31d93d126b3714dc278e941ec93f2df38bbf71c0a220d14041ac

  • SSDEEP

    98304:+b+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:E+kIGv3y/x+KTbfjJ+kdnAlejY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1172
      • C:\Users\Admin\AppData\Local\Temp\9b450bcab11dce8849741a314124ffb0539234b6cb0a6227a6afe24e66c46e0c.exe
        "C:\Users\Admin\AppData\Local\Temp\9b450bcab11dce8849741a314124ffb0539234b6cb0a6227a6afe24e66c46e0c.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a21D3.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Users\Admin\AppData\Local\Temp\9b450bcab11dce8849741a314124ffb0539234b6cb0a6227a6afe24e66c46e0c.exe
            "C:\Users\Admin\AppData\Local\Temp\9b450bcab11dce8849741a314124ffb0539234b6cb0a6227a6afe24e66c46e0c.exe"
            4⤵
            • Executes dropped EXE
            PID:2720
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2808
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2972
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      1cd9e0b57bb913499a9e8de9b89a0b28

      SHA1

      f183fcf29210272cb107b2eb57211673dbdb0b8b

      SHA256

      c1533f722683bfdbffeb631091fe3a3b22a906784eba1c050b0851aa31f18cb2

      SHA512

      01cbce82cc7ce08ac8893f42fb825db65ec9980a066273babb0d31884d0872f2b3ce9a42b33a0d8c920c9750cc2d9f0cef548ad9a4bb5467129104a3028ec96d

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      44f2a0b82d8247e1cd5a12a40841f9a8

      SHA1

      f451bd8ba9098bb674624169aa40f0371ba67924

      SHA256

      056311169bf6ff9bf378a311dbd3c48697ccce39bedac8cb9ddb7da01384127d

      SHA512

      bd5f7bf6b83c70bd03416a4944f62fdafbcb7907c3321432c831e189e9d4f95a52faefa575de57209fa5c1523ebed5fde8831f6230fc6f23400bbd33e772c219

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a21D3.bat
      Filesize

      722B

      MD5

      ce7854a0d48ef6f7c60d665bbe6599d8

      SHA1

      f5ca5930957347f1ff513cad37e1e7ba1b299a28

      SHA256

      bb3fb9a920fdb3104409be04b3de59d94998627347709454b419588a9126cd48

      SHA512

      c9f97376f754bcafdee108287b44d4ec221b97d7f022918a3b63319d500d6b38479b0d4afe5f9d55fe7602b72d12a102f3827e1be16ff4881b4711e6e712f790

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9b450bcab11dce8849741a314124ffb0539234b6cb0a6227a6afe24e66c46e0c.exe.exe
      Filesize

      11.0MB

      MD5

      b45b7bd6eb92c5b65378d8d0a0964747

      SHA1

      5ca6f198ac83c90496110259b57ff4a5f47b64bb

      SHA256

      5f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0

      SHA512

      bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      02549afc4a9c54398c00548d7f1efae0

      SHA1

      6196d67d06bbd83964eb7620a76c46d0924f3f77

      SHA256

      56c871b1bea41aeee168eb3a17599f4d5100248009e3c6a1af5db590ce58ec48

      SHA512

      b8c3894d5aa67b24cdcca4475cb5cab61a42d54de9c8ab1aa9c1f3e80f8a6634e60b78da7e765f5cecabeb53e0d6db8b29b13f5c60968993371728e2029464d7

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\_desktop.ini
      Filesize

      10B

      MD5

      d005ae1ecb6b06ec6c392c7dd1dfe7e1

      SHA1

      323a3af7f375573f33f35736435519df461ee8b0

      SHA256

      a342a9e9cd7e75b9740454b74f63ba6b3eac159bf04a04772271fcc0b4e9f6bd

      SHA512

      41628199761447acac22869b32d096f2b49a3159c6fdda216514f3e136fc7028e05c63edc4aab205ee065677b1c011c9cbf28239c819fadc5dde460ca03507e0

      Download Submit

    • memory/1172-29-0x0000000002A60000-0x0000000002A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2120-17-0x00000000003C0000-0x00000000003FD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2120-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2120-32-0x00000000003C0000-0x00000000003FD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2120-18-0x00000000003C0000-0x00000000003FD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2120-19-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2716-33-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2716-2963-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2716-20-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2716-4146-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download