Overview

overview

7

Static

static

3

33822ece4d...0d.exe

windows7-x64

7

33822ece4d...0d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33822ece4d41174b20a5eba78d70e604df81e4ae1a4a36dd0a1815fc01903f0d.exe

  • Size

    1.1MB

  • MD5

    8b40c08bbfaafde0f0789f8b9c94764e

  • SHA1

    6759ff01641b96e44ac0b306f5c8e27383fafd2d

  • SHA256

    33822ece4d41174b20a5eba78d70e604df81e4ae1a4a36dd0a1815fc01903f0d

  • SHA512

    e07bbcdab5cd558caaec0f77184458d5356e9702243497013658d85b3ecd5193f0e71fa654ba62015d5764a154756a173603d21343215702ef53e5a67e160fd0

  • SSDEEP

    24576:Z1cXT9T+w6zY8v5a2FZ7WDpk2Kvfd5nP6Wp8zrMBThYBjv:4Z6zY8/7WDaDvfd5iQ8zoBThojv

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\33822ece4d41174b20a5eba78d70e604df81e4ae1a4a36dd0a1815fc01903f0d.exe
        "C:\Users\Admin\AppData\Local\Temp\33822ece4d41174b20a5eba78d70e604df81e4ae1a4a36dd0a1815fc01903f0d.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2732
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF0F4.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Users\Admin\AppData\Local\Temp\33822ece4d41174b20a5eba78d70e604df81e4ae1a4a36dd0a1815fc01903f0d.exe
            "C:\Users\Admin\AppData\Local\Temp\33822ece4d41174b20a5eba78d70e604df81e4ae1a4a36dd0a1815fc01903f0d.exe"
            4⤵
            • Executes dropped EXE
            PID:2720
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2604
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      44f2a0b82d8247e1cd5a12a40841f9a8

      SHA1

      f451bd8ba9098bb674624169aa40f0371ba67924

      SHA256

      056311169bf6ff9bf378a311dbd3c48697ccce39bedac8cb9ddb7da01384127d

      SHA512

      bd5f7bf6b83c70bd03416a4944f62fdafbcb7907c3321432c831e189e9d4f95a52faefa575de57209fa5c1523ebed5fde8831f6230fc6f23400bbd33e772c219

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aF0F4.bat
      Filesize

      722B

      MD5

      297d663ceb262575b408a1a6b9af7aa7

      SHA1

      f7f6071c26386192288aa2b33b8ff88030597e5d

      SHA256

      55bef792a7c23e70196367d3ed61e8577f4590bc91609c3115379ff63f510dca

      SHA512

      7513792a6375cfb3ee2e16ece4e6dd7b50441ad61b93323c8ed896bd43024db951ca034f3ea6062003c8dac00f08e23d5f850014fc3f37157328fe6cd25a525c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\33822ece4d41174b20a5eba78d70e604df81e4ae1a4a36dd0a1815fc01903f0d.exe.exe
      Filesize

      1.1MB

      MD5

      f012ebe3b9f0c4d18b43076b68295667

      SHA1

      27ce582d305bf5ec574fd7edf39e1300783e9323

      SHA256

      bdff5163ff3787a7a8b6bb3f688e877c5fa10db2ad535bb9765c91e976fbcafe

      SHA512

      06ce3eceb42ca555511f55e85fe79441a4a8c70ad32c36a045560cb8449e44f08bcd9e938e9a11a0360c7363ba2fff4dd92b1a300e21e214a6d273009d8c2463

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      828e2b4217fa5d1af64ed5e53cc9c32f

      SHA1

      c4c9897302233cb01f5297a474273b9fc3dfe8b0

      SHA256

      dab472637885b769458d9bca73a6d7d43708337a651658029b6be881c0770123

      SHA512

      577324c9ff48421ce990fe851c0c0ae772cff4456c8a2afcbb9cdc4ab33921a6135f3a18599c8302277ca419a6897859544765ac6496519c3a998190b00c78e2

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\_desktop.ini
      Filesize

      10B

      MD5

      2c51e5c30f050245287a14eb60e30d30

      SHA1

      b59cbcb7f2c8f7f05c0fa80fd351595af1996f0e

      SHA256

      9310f08a28e46a620f4a99b4e12bf599760f5229b2ef0eb6c8e0be72b4197b88

      SHA512

      fb572888fe5c33c9d5f2ee5d138172a57b57e8b3e8b8eca76dea964e99f72692fe4fea9da946d4e5a4871f3c004571a9ea11ef77e3ef100d45f4a806ce2eb5c5

      Download Submit

    • memory/1200-32-0x0000000002B00000-0x0000000002B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2836-35-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2836-2964-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2836-20-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2836-4166-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3048-16-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3048-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3048-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3048-18-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

      Download