Overview

overview

7

Static

static

3

60430f798a...22.exe

windows7-x64

7

60430f798a...22.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2024, 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60430f798a772ee2f5be4a476042089a2a817762d4a35bc4781da0a37e011922.exe

  • Size

    47KB

  • MD5

    ba01e4a6a9d01aa7ebf08fab9d2f5301

  • SHA1

    f73a27e727694e615dc3433d02e0ed59c2b93b30

  • SHA256

    60430f798a772ee2f5be4a476042089a2a817762d4a35bc4781da0a37e011922

  • SHA512

    975eb1cab1b3ae81cfce7c1079dde4ea6764a5ac2ee1f2d195be9b241b10050d8c54831ca20097952d7de59dc63a1bacce8cfceed3af758def2d5fb121a065cc

  • SSDEEP

    768:jLIO5RroZJ76739sBWsTO5XlD9z2/CV4TwJL612myTWQ3655Kv1X/qY1MSd:jLIe+Zk78Tg1I6GkJTHqaNrFd

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\60430f798a772ee2f5be4a476042089a2a817762d4a35bc4781da0a37e011922.exe
        "C:\Users\Admin\AppData\Local\Temp\60430f798a772ee2f5be4a476042089a2a817762d4a35bc4781da0a37e011922.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3340
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:228
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a638C.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3080
            • C:\Users\Admin\AppData\Local\Temp\60430f798a772ee2f5be4a476042089a2a817762d4a35bc4781da0a37e011922.exe
              "C:\Users\Admin\AppData\Local\Temp\60430f798a772ee2f5be4a476042089a2a817762d4a35bc4781da0a37e011922.exe"
              4⤵
              • Executes dropped EXE
              PID:4072
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2520
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2672
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2212
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4372
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4468

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            48d72ab3932b2b61d43b8d3a06a536ca

            SHA1

            b88d45b1af53155ae3acec478ec4b13a93e5bad9

            SHA256

            56c90f312722e76372b1ab2f29272f78784454740b065553a018e40c88dcf8c8

            SHA512

            8b54d45a2e059f791b2de4d8be28737ca629df8c017f10e0a6d49eefa5db628a295a44a0e0c7378e47bd5343d715e126c2eeecd82c56254c103c4f862c967ac7

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            e0465910f6142767a92a219d0b3a3456

            SHA1

            2921db9515de01b506aedfde7ddbe3569ed0472c

            SHA256

            f48420c86d897fb0728bfec30a0be715bf7ed54fc99586ef09889bc1f573546a

            SHA512

            01cc9e5105255e03f4f9d0b60b9bdfdba5e5a73209c81ca3b9ff70187429e53a250408cb0e288812248424a61832d5ebe0a606b707ec1a4c27fa4046856bbb8b

            Download Submit

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
            Filesize

            488KB

            MD5

            218e0a19c473096822a108ce2b4dd6c2

            SHA1

            29db925c4835114bc5fb32f516c5088e575197e3

            SHA256

            25a0da6f5a0f831fc85a21a8c2fb57aa27a34781109eef255ba2327cbe04ad04

            SHA512

            d436e9595f47b227662464cbdeba3f23643b37b025dc3236b4d79b0ee89f1ace89c75331fd37a1d2a0c1238d61746a2e934964ef1c26cfa39bd468f5d770f47c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a638C.bat
            Filesize

            722B

            MD5

            dc54bea10d5116ad3ee4cc4553379a39

            SHA1

            1fee799d1b94536b26799f9845ab0028a0bc69a3

            SHA256

            c83a4b4f8e7defb8cce4a5c90978c8593de170063c42a0467128a297e5eae7a8

            SHA512

            39c931eccbd5b7aca7c0c690031e8939866e5d4c4f8da566224156eb0032ba11c3c3c994d7928da0009e6af83bf1c017d410f1fcf14da3240cd50c6bd0663052

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\60430f798a772ee2f5be4a476042089a2a817762d4a35bc4781da0a37e011922.exe.exe
            Filesize

            14KB

            MD5

            ad782ffac62e14e2269bf1379bccbaae

            SHA1

            9539773b550e902a35764574a2be2d05bc0d8afc

            SHA256

            1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

            SHA512

            a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            08c6e8d320ed6fdb4588d707ee621a87

            SHA1

            f80eda42424fba3dd3f992b3436378569c4f9936

            SHA256

            2b4fca22f30e84c635cc06b6ee6565ab1fe07e8ec19177ed7e1e647420300e4d

            SHA512

            1b8b6bc596cbaf40873c504496dc9f5f473a57d774f64f2c28918d5af103c4de68d08b2461f7f344aab81bb7c8fa9a8203d8318bbfb0d743569817fb331c42c1

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\_desktop.ini
            Filesize

            9B

            MD5

            e9140be561cdfc8a3194092df425ef59

            SHA1

            6d81b3e28510390029a890f61f9691959fb56747

            SHA256

            f648ac4cc10d581ad584fa6a0b3747b89e39e5f81c92ba8604f0a29e9a0ad61c

            SHA512

            44e440c6fb31492afda420b21b6b20f185a65db4c9ed297b1c49323c4a1b38859f4b602ffc55a6a5f3c26f8066e5c406dd3b810c137a99a49ae16a83d33448e5

            Download Submit

          • memory/2520-32-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-1489-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-2467-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-2472-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-2477-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-2806-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-5593-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2520-8658-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3220-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3220-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download