Overview

overview

7

Static

static

3

99d51f3bd7...07.exe

windows7-x64

7

99d51f3bd7...07.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 19:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    99d51f3bd716206866e203c8a5db2c62f9835f0a96b249f1afba3a55a2ab0707.exe

  • Size

    85KB

  • MD5

    44dd63b68944e8f52a35844976de9785

  • SHA1

    bdb670b5ffdb60fe5279d8bcd360f4bbe20a3f76

  • SHA256

    99d51f3bd716206866e203c8a5db2c62f9835f0a96b249f1afba3a55a2ab0707

  • SHA512

    0fce1c1bc1e81dcf4bcd05d62d9276a87f229459fede92c40e05ed6f9eff2fd842fe94ea5b2fe0c7060143155a5c28469ecca70861910281606e5c90a1d85610

  • SSDEEP

    768:h7D4apQFJFKZj1PVs9Ag1vzblhcCnFXNs0NfkprU/xvyyztoZU9QZU9A:h7Dacx1aeg1vjrI9U/xvyyuzb

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\99d51f3bd716206866e203c8a5db2c62f9835f0a96b249f1afba3a55a2ab0707.exe
        "C:\Users\Admin\AppData\Local\Temp\99d51f3bd716206866e203c8a5db2c62f9835f0a96b249f1afba3a55a2ab0707.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3012
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFA56.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\99d51f3bd716206866e203c8a5db2c62f9835f0a96b249f1afba3a55a2ab0707.exe
            "C:\Users\Admin\AppData\Local\Temp\99d51f3bd716206866e203c8a5db2c62f9835f0a96b249f1afba3a55a2ab0707.exe"
            4⤵
            • Executes dropped EXE
            PID:2616
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2600
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2456

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            5a24260b0a410d406695abc6fed19e57

            SHA1

            f2198577d78a72fa5285f9d6e8e0e67c9e920bc4

            SHA256

            ba7a7c3293a1e279f8d48e9b4ea14494f294c004cfa061340ac9a760267d270b

            SHA512

            712a76634535e8a5082094670a83d96b8c63154c16f83a0f8c38be31b392816d754df0adf677199d7ee53c0188ce74ef5624d6e7c2acb333512f14b5c19676a5

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            44f2a0b82d8247e1cd5a12a40841f9a8

            SHA1

            f451bd8ba9098bb674624169aa40f0371ba67924

            SHA256

            056311169bf6ff9bf378a311dbd3c48697ccce39bedac8cb9ddb7da01384127d

            SHA512

            bd5f7bf6b83c70bd03416a4944f62fdafbcb7907c3321432c831e189e9d4f95a52faefa575de57209fa5c1523ebed5fde8831f6230fc6f23400bbd33e772c219

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aFA56.bat
            Filesize

            722B

            MD5

            4b4f973fa8b9edb3c8436bacc88a457f

            SHA1

            d07b8a8cf6593fc90f0f1ed68629ec6784e3568b

            SHA256

            6542db2f4a12107b36f8b5a34c2719f2e9e10d5462af384b69381b6638e7d7ca

            SHA512

            e7153fea3af9406134aebc640816d17f6f6ed188a374ec7326c28961c074a8e03e516aa5a91928b8d508084a8f50f05d2f251a952185c90692534025c7148020

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\99d51f3bd716206866e203c8a5db2c62f9835f0a96b249f1afba3a55a2ab0707.exe.exe
            Filesize

            52KB

            MD5

            5c6080d433f02d8f173ec738af8b451f

            SHA1

            137bb1172b6faeeaafb7b09026182a4fc0e030ad

            SHA256

            bb4a4cd4f0808bfe62b4c3024d099a78dc322ee579756a35fcbe3f8160dbbc0f

            SHA512

            8b091d09b19df1f9ebcc97a39b4c9e2dab840ecd7448aea53c33d3809185b07be8b58c7c56e058596d591348529cb8b29508f6769b30568d149a64ec0ec22c0e

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            52037539471722f8ddb8246ee58d7618

            SHA1

            b908fec715dd1fbef518f133d386299f2a956255

            SHA256

            1f7f3cdea3157d3144354472c63e845100f470723786c0a908867593b97c1be3

            SHA512

            485f2488932f46ff2379182a86bc732bdc957ae93c5139e582f4b33fe5d1f1c88ebd4af791a1c13025ade78ad3582570ca337564243be052dafbc98805b7d34a

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\_desktop.ini
            Filesize

            10B

            MD5

            d005ae1ecb6b06ec6c392c7dd1dfe7e1

            SHA1

            323a3af7f375573f33f35736435519df461ee8b0

            SHA256

            a342a9e9cd7e75b9740454b74f63ba6b3eac159bf04a04772271fcc0b4e9f6bd

            SHA512

            41628199761447acac22869b32d096f2b49a3159c6fdda216514f3e136fc7028e05c63edc4aab205ee065677b1c011c9cbf28239c819fadc5dde460ca03507e0

            Download Submit

          • memory/1200-29-0x0000000002E80000-0x0000000002E81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1660-16-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1660-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1660-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-33-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-2962-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2700-4143-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download