Overview

overview

7

Static

static

3

61229e60d5...eb.exe

windows7-x64

7

61229e60d5...eb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 23:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    61229e60d53b002028998ca548c6dc0bbafa6378bca9267d288f4e49996373eb.exe

  • Size

    397KB

  • MD5

    14c95808377738c9138f46540ad96ea1

  • SHA1

    8b4fc33e37406bf4e79bf62138ee522893b18850

  • SHA256

    61229e60d53b002028998ca548c6dc0bbafa6378bca9267d288f4e49996373eb

  • SHA512

    22f76f061ecaa56f54db4a19fad25a9b57802a231e730af548e5c9aa27306c5aa3e97906d14fe2492429ab1d490bddfcf13e4c9ae462d7f77aad9ba4cab52de2

  • SSDEEP

    6144:i1nDXYQ/BWJjmpgtBZQZKQj8p3jyb7HREd4SZ1tzLbF:i1DXYJmSTZwYp32bY4qtDF

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\61229e60d53b002028998ca548c6dc0bbafa6378bca9267d288f4e49996373eb.exe
        "C:\Users\Admin\AppData\Local\Temp\61229e60d53b002028998ca548c6dc0bbafa6378bca9267d288f4e49996373eb.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3020
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDB23.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2112
          • C:\Users\Admin\AppData\Local\Temp\61229e60d53b002028998ca548c6dc0bbafa6378bca9267d288f4e49996373eb.exe
            "C:\Users\Admin\AppData\Local\Temp\61229e60d53b002028998ca548c6dc0bbafa6378bca9267d288f4e49996373eb.exe"
            4⤵
            • Executes dropped EXE
            PID:2792
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2084
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2264
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2780
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2276
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2856

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            a2f2252f83d6cec96ba74f04625cda0b

            SHA1

            13e0a28135596b99862f5453f691c97659aa2061

            SHA256

            561ae9afa3c74a25303928fffc0d8951c0e807a26c2616145d06fade3b99ec2f

            SHA512

            01ad85cfae3aef0610c03cb1062f3c07ad71fd93a3ad18b65db7191c97736bc5090fe4b42864bbb74593409f7c6310de56a65a3696a1adaaabf504a5579f7598

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            79d96b6a2771e7783309bf05ebe7b5c1

            SHA1

            b19da11278224b17598d5b6de189892a83196708

            SHA256

            eb38a47ec49f3f376f53aff58def8c3a0e095bad67e2887d3f58bb4a3c71a19e

            SHA512

            72e30060fd922fc37662d762bc647bf85938986d810057926fe86a1622e1b05fc841bab9ee06ee7855071ed27da3d8fe20d41f03ae68c4c76cc720a7e56d4d68

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aDB23.bat
            Filesize

            722B

            MD5

            67d944cc1adb75ed1b0f8822d9cb2f8a

            SHA1

            c924b6ba0b3b10e4004656f9cb7a7ba26e8d68b3

            SHA256

            8bbb2c6c2c57c24ee2782adadc7ede8cc8fa196409ba3d9a6b1e81113ae0b4ec

            SHA512

            ef18e64437751e72a817dc788e1ad229d0c85e4e27dc1e61aef44ecdfa203719dffee54c313de5d3eba3eb23a05b791d8d3d27f64946c11f25b62f6685c255c3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\61229e60d53b002028998ca548c6dc0bbafa6378bca9267d288f4e49996373eb.exe.exe
            Filesize

            364KB

            MD5

            213eeb5e8f54231f68e5b26a0fc81bd1

            SHA1

            1bc31a42536eacbb57d1cd92ec4b5524a82264d2

            SHA256

            b309045509efc205eb35d6037d64640093fde6c54ec5934e329b447417005a50

            SHA512

            ce35c5f453126c98329df141f821c55692f9252549c76921c231d8170df356cda1689e636758519c0b6898f11b5c836cdb4967d296b99f915e4d1980470a083b

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            acc875481830dccdda351ec15db601bb

            SHA1

            f03af1ee9a3368c71b0d46586d700ce1d39fe9bb

            SHA256

            ac544e154655a153a03c5f3dd52645c30d12c3ba6886c8b037663694748491ab

            SHA512

            e2564a8a9e7a8ddb78bc7541d0648c2b42185e7c06b63145a07f50871435f97cd6c691180e4ad900646a4a4a936981b6685934f6d289d6f013bca1ff975f1336

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\_desktop.ini
            Filesize

            9B

            MD5

            ece8e24737d1957fb4e94d8890ee8d02

            SHA1

            6c79bfb99f560a2102a903116f5a0c195f7885e4

            SHA256

            d920366b3c62a677cf0cf1f267a7c2f3dd693f2ff60ee023091bf9c39c5e30b8

            SHA512

            ccf58b4da1ad1379a546f307bca8dc4452a61a3cb443814f4d9566b8d8d35cc9d794ada4d1a13296ed5bc0248ba5ef538e5dc5e22861c2ead3f479beeb5c2d37

            Download Submit

          • memory/1224-27-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2084-30-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2084-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2084-3301-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2084-4149-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2512-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2512-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download