Overview

overview

8

Static

static

15f087a2ee...7a.exe

windows7-x64

8

15f087a2ee...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2022, 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe

  • Size

    195KB

  • MD5

    0c92e7efee45b67046dc912394006977

  • SHA1

    54dbc7393baf4b32be69d1f1727cb4569d0b505e

  • SHA256

    15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a

  • SHA512

    95f94d61d411a9820a982040f0ce6fd86961dd99e82efca25c12b53aadbf9cb69d8f3fceb88a8296a63822564a8e9ddd16facac0c1edf955120e8e81ad76d2d2

  • SSDEEP

    3072:PLtaY46tGNttyJQ7KRcUchpxfjTzYE9a6bDSHe2doqV0/F5gjYVo7D2dS11lbzfr:L46tGdyOVLk96bDMe2mqVzNudSNbzam9

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe
        "C:\Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1516
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a409A.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe
              "C:\Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe"
              4⤵
              • Executes dropped EXE
              PID:1204
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1692
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:336
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:976
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1064

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a409A.bat
            Filesize

            722B

            MD5

            de4a32c574edb70b68a532de9ba548c7

            SHA1

            ea1833eced547633c7207698a66a0f4952021845

            SHA256

            7f2bae5dc79b8a031de882667cb151eb4ca603f59b1a5bcf175ca56ef766e3e6

            SHA512

            7df0362d53875371c8251c48baa31974a0004683563816a26ca38df8b07c2a45a18936dc8e5769e0007aeccde7b2e72fc421f1fdeb6b9d7d8978d30994aabfed

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe
            Filesize

            162KB

            MD5

            0809e50d14e2bdbe829f259d56dfa26f

            SHA1

            6eef6d869b0083fa7cb334bf06e011437c13661f

            SHA256

            fcf76a0d6b6c22953fa1562843a64191c1152d1014b2698979d9ac7d1d7e9aeb

            SHA512

            8c9079f4680fcdf182e43b05364e0054a6a268303b533b54012f5043e7fb92816d39e37b77dd5aaa950a0a4ab9734cf0a932fcce41c2b9b082e284855159e96b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe.exe
            Filesize

            162KB

            MD5

            0809e50d14e2bdbe829f259d56dfa26f

            SHA1

            6eef6d869b0083fa7cb334bf06e011437c13661f

            SHA256

            fcf76a0d6b6c22953fa1562843a64191c1152d1014b2698979d9ac7d1d7e9aeb

            SHA512

            8c9079f4680fcdf182e43b05364e0054a6a268303b533b54012f5043e7fb92816d39e37b77dd5aaa950a0a4ab9734cf0a932fcce41c2b9b082e284855159e96b

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            081aacc5b29093026775747c06914918

            SHA1

            bda01de6880d0bc3dff0b581fdcd5f2dae94750b

            SHA256

            1151d576a0bebee84e7d907fdc1854cd80c225b14987718a0e0b8f8969130713

            SHA512

            a01a23edf17719c084257909dddb156f5863f1efe4b01c6d28135a4145922258b2f66eb05670a2878383efcc12024d71a3dc1965daae8fb4346342251f96eb86

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            081aacc5b29093026775747c06914918

            SHA1

            bda01de6880d0bc3dff0b581fdcd5f2dae94750b

            SHA256

            1151d576a0bebee84e7d907fdc1854cd80c225b14987718a0e0b8f8969130713

            SHA512

            a01a23edf17719c084257909dddb156f5863f1efe4b01c6d28135a4145922258b2f66eb05670a2878383efcc12024d71a3dc1965daae8fb4346342251f96eb86

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            081aacc5b29093026775747c06914918

            SHA1

            bda01de6880d0bc3dff0b581fdcd5f2dae94750b

            SHA256

            1151d576a0bebee84e7d907fdc1854cd80c225b14987718a0e0b8f8969130713

            SHA512

            a01a23edf17719c084257909dddb156f5863f1efe4b01c6d28135a4145922258b2f66eb05670a2878383efcc12024d71a3dc1965daae8fb4346342251f96eb86

            Download Submit

          • \Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe
            Filesize

            162KB

            MD5

            0809e50d14e2bdbe829f259d56dfa26f

            SHA1

            6eef6d869b0083fa7cb334bf06e011437c13661f

            SHA256

            fcf76a0d6b6c22953fa1562843a64191c1152d1014b2698979d9ac7d1d7e9aeb

            SHA512

            8c9079f4680fcdf182e43b05364e0054a6a268303b533b54012f5043e7fb92816d39e37b77dd5aaa950a0a4ab9734cf0a932fcce41c2b9b082e284855159e96b

            Download Submit

          • \Users\Admin\AppData\Local\Temp\15f087a2eed128bc76f0bd8236b5f09d693d2b8a3726c7fa81af9083ecf2407a.exe
            Filesize

            162KB

            MD5

            0809e50d14e2bdbe829f259d56dfa26f

            SHA1

            6eef6d869b0083fa7cb334bf06e011437c13661f

            SHA256

            fcf76a0d6b6c22953fa1562843a64191c1152d1014b2698979d9ac7d1d7e9aeb

            SHA512

            8c9079f4680fcdf182e43b05364e0054a6a268303b533b54012f5043e7fb92816d39e37b77dd5aaa950a0a4ab9734cf0a932fcce41c2b9b082e284855159e96b

            Download Submit

          • memory/1204-72-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1556-61-0x00000000001C0000-0x00000000001FE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1556-60-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1556-55-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1744-65-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1744-76-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download