Overview

overview

8

Static

static

3

530634a98e...97.exe

windows7-x64

8

530634a98e...97.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    530634a98e572358b7c7bf63094e4aaae8bca255e418853c2bb2dcef522d6997.exe

  • Size

    56KB

  • MD5

    99d1201628cf81ef174b5148243c8866

  • SHA1

    87ba221ede4c83fd8bdcc2ac768fa57aae0a9fec

  • SHA256

    530634a98e572358b7c7bf63094e4aaae8bca255e418853c2bb2dcef522d6997

  • SHA512

    fa908d064b482e1de80cfd907303f7a524af83d8d081e1c5a28aec37a168922086303a4e0540b8abd16a249774a5fc436df5d7856200891f0e8b29ac7b0a25ce

  • SSDEEP

    1536:PqsaYzMXqtGNttyUn01Q78a4RJdeK+UfZ/XWrI:PqsaY46tGNttyJQ7KRJj+OZ/XW8

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\530634a98e572358b7c7bf63094e4aaae8bca255e418853c2bb2dcef522d6997.exe
        "C:\Users\Admin\AppData\Local\Temp\530634a98e572358b7c7bf63094e4aaae8bca255e418853c2bb2dcef522d6997.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4440
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3720
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A69.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Users\Admin\AppData\Local\Temp\530634a98e572358b7c7bf63094e4aaae8bca255e418853c2bb2dcef522d6997.exe
              "C:\Users\Admin\AppData\Local\Temp\530634a98e572358b7c7bf63094e4aaae8bca255e418853c2bb2dcef522d6997.exe"
              4⤵
              • Executes dropped EXE
              PID:844
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:980
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4280
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:5016
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2452
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4180

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            251KB

            MD5

            27df0d40429e33df59e61fced7de1435

            SHA1

            e9b8fcd2042eda40526474ee7b207adf5bf903a8

            SHA256

            9e252c3d026541314681db1a8038865cda886902eb57a149b5613dc252ddcac7

            SHA512

            7965301ca8af9e640822a96c77c8a909c56119d319522e0a6cda00d7c4e6c5375b67fe6f6715924b998d74d080b6242343e43fb39642c1f285462a764312832d

            Download Submit

          • C:\Program Files\UnblockPush.exe
            Filesize

            844KB

            MD5

            d614858d2576536ebff785214d4d83fe

            SHA1

            94bd2ca636c3fa1d0f38ea348b40b4cf64626f6b

            SHA256

            46d8550c9c9af22a9ac824834e79cfa2b935726146c663b1aa61e18c6f930bb5

            SHA512

            29b87a896a0d4fee0f998ebdf9f96b9afa582a8f127f7c9bfa36810c5bc166c586370cfcd867bb7c7e8da83695175694881d65fe729cf951dd5a4b92976d55b0

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            635e9422a0a86f5c7ac989802b0ac448

            SHA1

            3ea9cc1462b063639526a8d278b571f38b846d1d

            SHA256

            a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f

            SHA512

            857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3A69.bat
            Filesize

            722B

            MD5

            c81c89585ed4a54384a07d304e0bdb7e

            SHA1

            82953c6f86220d431081c110b0228b2ea1dabfca

            SHA256

            b09df34e6e2b90651e3f0f0a972abde027a9e962b2bd12207d417402f11fb74f

            SHA512

            d88a9938be7037b8996813f89b720c8de9368850e8f7dee33bfcf7afd3046f4632e04537a8572ef1b60aa3d71df699aab5d0fe9edf425804d34aa5487c1b8264

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\530634a98e572358b7c7bf63094e4aaae8bca255e418853c2bb2dcef522d6997.exe.exe
            Filesize

            22KB

            MD5

            b2f7631fe9ac1f6eb4f276bd7259626c

            SHA1

            ca1147287b78e3a15d30654a47b37c9aba2b4767

            SHA256

            23a59a0acd84d07313d6ea78fcf7f629ecdc93ae0c32574c73ef1a467f2831b5

            SHA512

            aa7e3e9ea219d64c1f9dbca0095968087574dea92e466139c2c8a19d03c1341b53191077504fc07366ceb6bd46323b8f95c454b7a0103e27c939622b0e0a0f6e

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            548b59c56dea702c153092f3c9befd52

            SHA1

            77d37ef5a746ee53d8b7c3ae82c4d2eca3e05d08

            SHA256

            e67be4ca1372399b73443f6f60c634806266796a0c84a22a55fa0080eca30b3f

            SHA512

            0ada1c693a1a40ff9d5407b633a4571268830bfd7edfa7bea370c96675a73269c4861c1c19a7ed478b42e95a91bceb386ce90bd7601cee4ca1076976d00e2e7c

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2818691465-3043947619-2475182763-1000\_desktop.ini
            Filesize

            8B

            MD5

            1b16d2dbd4281ce4e4e5729c608dcb0b

            SHA1

            851e624080ba5598edb808d4b30fe2d74999ce18

            SHA256

            c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

            SHA512

            cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

            Download Submit

          • memory/980-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/980-4696-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/980-13-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/980-8733-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3324-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3324-12-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download