Overview

overview

8

Static

static

3

484e005403...09.exe

windows7-x64

8

484e005403...09.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09.exe

  • Size

    33KB

  • MD5

    5b653ac1a80f0bf1d5f481b3f26870ec

  • SHA1

    88da99a3a16369cdeeb3ce0b5e7278480e804fdc

  • SHA256

    484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09

  • SHA512

    38948a310b13ca4f0117b263973b0aef9fbe20dfee8d76d1bcba5be0149d6d9a31d7cff03b7e615c442ab3fd3e9410a3ab512f42377660782cb6a56947a71ac6

  • SSDEEP

    768:2gQm2kElOIEvzMXqtwp/lttaL7HP4EUi91acSWGoYoLVCm1:2g4kaYzMXqtGNttyeiZnZLYm1

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09.exe
        "C:\Users\Admin\AppData\Local\Temp\484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2204
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      02a15301854adbc4e8ad37f0d6ac5c03

      SHA1

      760a8ae9e36a40126b558a3b073b1103f4078c29

      SHA256

      2cf57f4d69c7691afee33568160e2247da689d85899306a80ac42016b0177efd

      SHA512

      e41eda8a876abdba6bdffb193a5026ec15f458f70f31680196f5254dc1c72c5fb5dc1dea3d215d9832e99dfadf135ad07e0713734c5f81d4347cdce8086a7a7d

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      964KB

      MD5

      8459c78088e3071aa1b2f7adee6f2c91

      SHA1

      5c618e50eb9fcec163344c88e560f1c630b512cb

      SHA256

      e2e7454cc8da28dd4141886c04d532caa252bf56bd96d9e37b554e8366c58603

      SHA512

      66de0c2d8976e4120f07ecc35bff1b35dc0c4743451c30cc69feb3e03e1e8a0e4de6bd662f3895b02a93ff9a453846eee2e9902405cbf73ea579e67accb9adad

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      1706fdf65cef436b46a82b4b41b2fe8c

      SHA1

      9abac806be214e186a0fcc890ec19d5b98a58e82

      SHA256

      e32e35c6077821d95c687f149d27a8046d5285397927b9b56f386a860eea02dc

      SHA512

      6a8e5a6092bc2dc6e8bcebaf6dd53c1afb763a8e8dd0419ea848c1c73511675ec61b8070a0211ef68971f8d819910367a4ac14b0dca56598b0ab18e722d70ef2

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\_desktop.ini
      Filesize

      10B

      MD5

      67a49ff5f9f7d1aa068672249a49c946

      SHA1

      79707896b9d33e7189bdaab8280f506d2ac162d1

      SHA256

      05637f6925cac0879a4a76fd521facc96cbaa18ff8f73675814f6218a3226a8f

      SHA512

      43919a1b4db0da1acde17d6f6cd0604e701e2c5d3339edd994f79fa54b09d7323caa9150f6c9b6db7c2aae04a6ade1bc1e9de4a8bd1913381c52f00c26b39a3f

      Download Submit

    • memory/1192-5-0x0000000002560000-0x0000000002561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2236-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2236-9-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2236-1919-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2236-4129-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download