Overview

overview

7

Static

static

3

781a6cb6db...d1.exe

windows7-x64

7

781a6cb6db...d1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    781a6cb6dbd2063fef29f230ab38b49e0a934a377ae4d41ac8ca65c830cf95d1.exe

  • Size

    33KB

  • MD5

    faf17362f397288804d2aa5a189d0292

  • SHA1

    100796d42d6f36966ca44e3a25d7492badf6ddb2

  • SHA256

    781a6cb6dbd2063fef29f230ab38b49e0a934a377ae4d41ac8ca65c830cf95d1

  • SHA512

    10cf37699195c0e132eaf9d9789266a50b5ddbfa181bf035695b313146bbfae637193b5176de727ce8d0957b7714f41fe7bf6ec3ffd9a454f61ee993134c90e8

  • SSDEEP

    768:I/QRO5RroZJ767395uINnEfDKBbUCp1OTZ+/V:I/ue+Zk77RNzLiTO

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3368
      • C:\Users\Admin\AppData\Local\Temp\781a6cb6dbd2063fef29f230ab38b49e0a934a377ae4d41ac8ca65c830cf95d1.exe
        "C:\Users\Admin\AppData\Local\Temp\781a6cb6dbd2063fef29f230ab38b49e0a934a377ae4d41ac8ca65c830cf95d1.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4752
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4872
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      b23b92f5de676e08c3141919828c6fcc

      SHA1

      33d86ae4215cf00001b40cb7be48cb60a383bf72

      SHA256

      298dd136453304f6b16f8eb0b8dd2680e9a65555119a2676784c16e895770a19

      SHA512

      054100bc7256843864bcc7790475611746732c713419551ba34fda7ee84f981e2bae5544e7ccf781e945d4e282b6e0b336a53be6e4f16575c2b01efe634a2fbe

      Download Submit

    • C:\Program Files\dotnet\dotnet.exe
      Filesize

      176KB

      MD5

      372fc2a36164fac094bf9fdc79f781ea

      SHA1

      918e77e0612023c23b5053b8a587e83c8b474bc3

      SHA256

      639fe340686660918384500d0deba1dac29901c7376c31f9c7ea21a38d175a12

      SHA512

      85ae5cfe629abdb8567b6e5084d9fdbac9bfffaa841dc122045493d185759145c950591eb34233083e0b1b117de6cb33404b45624ff919c34be628466d9816cb

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      e0725f04ef2eb236cf23dbdc14d512a5

      SHA1

      ef9875c8bd15d6c9cdcb0a4025470fae9e0d00b2

      SHA256

      ca3e9560c3c22fbb4efc142647d6918fe315dda96b5e00c9f0431f55ca97bcaa

      SHA512

      2dacc3b71e320017826ef563affec0c895cdda9cd293b6814df20aefa5d936e6fbed1d387f9224e533f473243ecb6ea5865d0919f56459c6c3e014e07d241a4e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\_desktop.ini
      Filesize

      10B

      MD5

      688d58fa5756a393f9472937ef284c25

      SHA1

      18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

      SHA256

      e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

      SHA512

      c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

      Download Submit

    • memory/3348-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3348-4-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3348-1567-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3348-5662-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3348-8924-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download