Overview

overview

8

Static

static

26dbbc77f1...50.exe

windows7-x64

8

26dbbc77f1...50.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    172s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2022 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe

  • Size

    120KB

  • MD5

    5a2544acd855a22edf79e6764abceea0

  • SHA1

    4eef795e46737c9438dec461414d4895a41fce77

  • SHA256

    26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850

  • SHA512

    42d7ab20b4fdae8be27bd951458f0af2886f50342aedb62f6dbefae32d301f98ae59e77a5b870ef4ec8e0f5fa3c098e57d91ff7286ff0238e3b9684d316a9732

  • SSDEEP

    1536:3fgLdQAQfcfymNWE3L2JugxhQR2TV8RRp0M22CR:3ftffjmNWiL82iV8RRp0MC

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe
        "C:\Users\Admin\AppData\Local\Temp\26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6AC5.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Users\Admin\AppData\Local\Temp\26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe
            "C:\Users\Admin\AppData\Local\Temp\26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe"
            4⤵
            • Executes dropped EXE
            PID:1656
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1840

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$a6AC5.bat
        Filesize

        722B

        MD5

        990eff652ec261b3b4070a148fa74b13

        SHA1

        9256120d5589630ebfe5617baaf64aca3ac0e2dc

        SHA256

        ae67d6546c3831b5b8ea364a38dea9704d4d883cf99d48c3471be48a8dc76328

        SHA512

        9617626e398f5dec1fa2b8e7ccecc5e853d01aa38cda911f955c01d933225ec271c4e863f852ff2c52a7afd1f36560d4ad68ee17d2e177af5fc4f5db0edc88e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe
        Filesize

        93KB

        MD5

        df4a6f0c5e694d6ec28dd0dd41a3bd51

        SHA1

        773718bc6ab7a0b2419563a1bc4932281593277f

        SHA256

        a793b09eea4c6a830f3269fe6efc6efb1f1b939b791a01dedb727c94d59378b1

        SHA512

        b5695ee6333cff90bbb7967741179a979ed53bf433dbad780908a827f2824a7473a72632f6dd3b8ae706c7015dbe62373bfb7af58710deed93d944c470b4e9be

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe.exe
        Filesize

        93KB

        MD5

        df4a6f0c5e694d6ec28dd0dd41a3bd51

        SHA1

        773718bc6ab7a0b2419563a1bc4932281593277f

        SHA256

        a793b09eea4c6a830f3269fe6efc6efb1f1b939b791a01dedb727c94d59378b1

        SHA512

        b5695ee6333cff90bbb7967741179a979ed53bf433dbad780908a827f2824a7473a72632f6dd3b8ae706c7015dbe62373bfb7af58710deed93d944c470b4e9be

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        7b24f127dde4a0274a463d4581605702

        SHA1

        01fba4bb403a7477474d8485230837c14f87c8cc

        SHA256

        8ab4a210f5eb79f6ea976a238eeb8879b4e647dd9b8e47c701d73603957be1ce

        SHA512

        646372a9ec7fe495ad07de375880c779c57be400e1f0dce520329d805508a20d096bffd3a0d25dbe2636e1195f5150cb70e86a101175894835b9a170fd155a8d

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        7b24f127dde4a0274a463d4581605702

        SHA1

        01fba4bb403a7477474d8485230837c14f87c8cc

        SHA256

        8ab4a210f5eb79f6ea976a238eeb8879b4e647dd9b8e47c701d73603957be1ce

        SHA512

        646372a9ec7fe495ad07de375880c779c57be400e1f0dce520329d805508a20d096bffd3a0d25dbe2636e1195f5150cb70e86a101175894835b9a170fd155a8d

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        7b24f127dde4a0274a463d4581605702

        SHA1

        01fba4bb403a7477474d8485230837c14f87c8cc

        SHA256

        8ab4a210f5eb79f6ea976a238eeb8879b4e647dd9b8e47c701d73603957be1ce

        SHA512

        646372a9ec7fe495ad07de375880c779c57be400e1f0dce520329d805508a20d096bffd3a0d25dbe2636e1195f5150cb70e86a101175894835b9a170fd155a8d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\26dbbc77f17cb09e51bbd5b5783457aa1615c15a3a3610a5a01bef8cc2af9850.exe
        Filesize

        93KB

        MD5

        df4a6f0c5e694d6ec28dd0dd41a3bd51

        SHA1

        773718bc6ab7a0b2419563a1bc4932281593277f

        SHA256

        a793b09eea4c6a830f3269fe6efc6efb1f1b939b791a01dedb727c94d59378b1

        SHA512

        b5695ee6333cff90bbb7967741179a979ed53bf433dbad780908a827f2824a7473a72632f6dd3b8ae706c7015dbe62373bfb7af58710deed93d944c470b4e9be

        Download Submit

      • memory/1020-54-0x0000000000000000-mapping.dmp

        Download

      • memory/1656-63-0x0000000000000000-mapping.dmp

        Download

      • memory/1840-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1880-57-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1976-65-0x0000000000000000-mapping.dmp

        Download

      • memory/2020-55-0x0000000000000000-mapping.dmp

        Download

      • memory/2020-67-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2020-68-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download