Overview

overview

8

Static

static

3

484e005403...09.exe

windows7-x64

8

484e005403...09.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09.exe

  • Size

    33KB

  • MD5

    5b653ac1a80f0bf1d5f481b3f26870ec

  • SHA1

    88da99a3a16369cdeeb3ce0b5e7278480e804fdc

  • SHA256

    484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09

  • SHA512

    38948a310b13ca4f0117b263973b0aef9fbe20dfee8d76d1bcba5be0149d6d9a31d7cff03b7e615c442ab3fd3e9410a3ab512f42377660782cb6a56947a71ac6

  • SSDEEP

    768:2gQm2kElOIEvzMXqtwp/lttaL7HP4EUi91acSWGoYoLVCm1:2g4kaYzMXqtGNttyeiZnZLYm1

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09.exe
        "C:\Users\Admin\AppData\Local\Temp\484e005403ef562ce8676f4a6669ce9e5fbef9db52766c96c0228f53af237d09.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5060
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3628
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      dbfb2c1fa2f8a1b766bf84bf8bf2b1eb

      SHA1

      59844666fe5caac477328ed0a7f19dedcbc7949e

      SHA256

      2d27c03ba6eef6e353ae0f9b8d004b76e6c80368b9af3a98ce98da7e2eb75cc8

      SHA512

      617b48be373f2276c9f84e133b9e0dde498ae27644e503d06ff353b03e2a7cd0395dde8083c6ee474fdcdce38c5bfd417069267e68e9a77ca4e43d87d9d1f21f

      Download Submit

    • C:\Program Files\dotnet\dotnet.exe
      Filesize

      177KB

      MD5

      87149c9c7623b05df47e405a061df836

      SHA1

      f8b1fdc2912c157706f55e5f7b4d8878a5b650b5

      SHA256

      51ef220c737919e280a8816633ffafe4984d2276ca0c8a1b9a8a121e53d92922

      SHA512

      e3ffe9fded5e69010f003175dba217d9f094252484e9aeffb0430b643bf9e04b7e9ea76f1545294e20944cb5f3bec36c1a084b7adfe5c5a47ee14428e932eb68

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      d3f7a4609bee92e23ccb350fb23b9a7b

      SHA1

      c543400938d8f8843c31089afea9a3e73bb5919a

      SHA256

      7f1318a0912a33c7f571912a1f41e060167e64684fe1e4b45d2fc7a6add89d04

      SHA512

      c5e16ba4a754d48b64b8b5eac36271e9449c682d2a44f14e7fb6aa7ecde3e30836573097fc79de6679d1f0e73ba80f9cfa8bbcf584698412bd1175e8823f74d4

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\_desktop.ini
      Filesize

      10B

      MD5

      67a49ff5f9f7d1aa068672249a49c946

      SHA1

      79707896b9d33e7189bdaab8280f506d2ac162d1

      SHA256

      05637f6925cac0879a4a76fd521facc96cbaa18ff8f73675814f6218a3226a8f

      SHA512

      43919a1b4db0da1acde17d6f6cd0604e701e2c5d3339edd994f79fa54b09d7323caa9150f6c9b6db7c2aae04a6ade1bc1e9de4a8bd1913381c52f00c26b39a3f

      Download Submit

    • memory/452-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/452-5-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/452-2319-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/452-8081-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/452-8705-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download