Overview

overview

7

Static

static

3

30a8a49f1c...ea.exe

windows7-x64

7

30a8a49f1c...ea.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30a8a49f1c6a71670221c4294a85857bd6666a735bdf6474c4a548aee2a280ea.exe

  • Size

    599KB

  • MD5

    95a7e334ac00987eeefd9d166320f878

  • SHA1

    ebf079583ca0559dbf9ec8b7c237009f9bceb99d

  • SHA256

    30a8a49f1c6a71670221c4294a85857bd6666a735bdf6474c4a548aee2a280ea

  • SHA512

    d41a5b945d839a01ce0d9e6f0ce2af3a3dcf92577df7c1cfea24e144c3dbe834282113851b51a208f7d707701a45d60be92c368e01472e4d1f0a6d1a40b95ba8

  • SSDEEP

    12288:PqPcfN423weiwbjCRP33GYdGffjLFdtODEff/tKRL:PqPcFLweOkfrL/tOD2E9

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\30a8a49f1c6a71670221c4294a85857bd6666a735bdf6474c4a548aee2a280ea.exe
        "C:\Users\Admin\AppData\Local\Temp\30a8a49f1c6a71670221c4294a85857bd6666a735bdf6474c4a548aee2a280ea.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1000
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4B32.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4064
            • C:\Users\Admin\AppData\Local\Temp\30a8a49f1c6a71670221c4294a85857bd6666a735bdf6474c4a548aee2a280ea.exe
              "C:\Users\Admin\AppData\Local\Temp\30a8a49f1c6a71670221c4294a85857bd6666a735bdf6474c4a548aee2a280ea.exe"
              4⤵
              • Executes dropped EXE
              PID:1596
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4832
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2028
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1240
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2368

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            2acb72abe029ea0f8b63f8cb07936758

            SHA1

            4011365098ce38d0be92ae0a06077f8fdaa66bd2

            SHA256

            ca16328c99916601a5446d2dddbfb299a823b42e75271a8853032068d43554da

            SHA512

            3c9c919614d28e6dcb8f1de366953bf083aa29a5a32d784dc52e4a7bdcf11e52edb160c0ee3214f311a4dd9581d68555419eb11a00b5762eeaec4df24a64604d

            Download Submit

          • C:\Program Files\ExportConnect.exe
            Filesize

            380KB

            MD5

            bd2bd69ab92c4dc38ed41eff7ef04c73

            SHA1

            8592ea3198d235f6df95452ec8cb3a0f341a584a

            SHA256

            322968e8058e2ab8b438fccf6a49228d70c8e7155a7afbee88b8733db46ab56e

            SHA512

            863fd8c50d37fed4a95fdc98e1a560e44a38dcfd3edaeb89e080875fad8aac52d443cd2f3db7b04b8a50c0df221d50df1dc3e88d91f6b2912e91a0364a5cbc9e

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            11e0853d537d2721ecc655c1fc527e91

            SHA1

            c8e23d103e93073ba7c93374878ae9a9f926c944

            SHA256

            f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

            SHA512

            3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a4B32.bat
            Filesize

            722B

            MD5

            ffe8715fa17aedb695a391239bb1674a

            SHA1

            423a510870ec97aa6d3ab30b549d910598906153

            SHA256

            f7fb542a17569870c835e30cf72090d2237bec29875064d2e993c85b1774f1bc

            SHA512

            b45cec9dcbbab182d4a3105506b75f062c3e48f6e00ffd9ed0f901d93d47f37a12dd60a4447db34687cfb51d7dc6fa42474272f34a0a7e5539d4beb18b116c35

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\30a8a49f1c6a71670221c4294a85857bd6666a735bdf6474c4a548aee2a280ea.exe.exe
            Filesize

            565KB

            MD5

            6677b6017e5d470cf99ef60d1802bccc

            SHA1

            2db730b0e0fecc40daa7bb71ea849db42aed066a

            SHA256

            4b18f6bbf232545f3ebe0ebb92ab5a3a7aaf6f3d49b754b29712cce013418576

            SHA512

            950c68bf646ef2ad7e3b9c363948fe9b732faea6e30108ff934a7a2c6a6373d9121ede15c5ca5c87292bdf8bf1d04ee4c27b73cca9f21a7d6320fc0b2ed5e0d4

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            12a0e17b9cf29b4fab8500f5e3e87a7b

            SHA1

            08107884477fa3e9ec065334cfa64c424f47d919

            SHA256

            0cbf2b30b759babbdd5dfc9f7a62b88557b9fcd43caefa1d9cf1d69cfc38bb92

            SHA512

            6564d542284cb4b805d89008dd9f4096eebd87c1e99e43ab24f8d808405ee96df889753d8522cc61695e9f730f31133912e35590536237c685c3046be5669449

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-711569230-3659488422-571408806-1000\_desktop.ini
            Filesize

            8B

            MD5

            a6f28952c332969f9e6d9f7d1a449737

            SHA1

            31c0826adb63cc03162fb9e88781f4b50da8f11b

            SHA256

            d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208

            SHA512

            8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

            Download Submit

          • memory/1792-9-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1792-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4516-11-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4516-5224-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4516-18-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4516-8708-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download