Overview

overview

7

Static

static

3

7c9c544f83...47.exe

windows7-x64

7

7c9c544f83...47.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe

  • Size

    1.1MB

  • MD5

    68655c05d1d55cba107ff7ce407e568b

  • SHA1

    d09c30bed3eb9c3a0afc60861b4272754b2cc7f2

  • SHA256

    7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47

  • SHA512

    e0d7ad2fa69da6901476dd960cb0acde1aa5abcfc08247c0193ef394233b7abe6a41b903d0d170c466cedad6f204f805002c9ffa71533ecb50f3512627c2d0fc

  • SSDEEP

    24576:G7dSrfAEWNZXzNvb3yMIR5JztI6/6FS7YtYb/1SrBX+YREGSW:G7dPyYS7YtYb/1SrhE7

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe
        "C:\Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a41C1.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe
            "C:\Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2784
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        b4b26eac2600e5ef5aa2997f96575ad9

        SHA1

        1d9aa3fb567666010d8352af24869a1ce27e3748

        SHA256

        cf7c69ec5be011e664ddc2f3570ad21c1161fdd7485d266127d8eb50a65eb2ef

        SHA512

        1c52a53d631741a40d4963d7a3df89867c575ee24ae2f81d3c6b322557090fdbd4568db1364cd8fe10a4bc8991c68902ab08e836355e0cf66634cd6afc0a3b88

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a41C1.bat
        Filesize

        722B

        MD5

        ab66807078200cae651a8d8835a2c86c

        SHA1

        dccf5bbf358e2b1502bb9d875747e5f632178730

        SHA256

        5b495a765d492bd8c6f36796537df46a2a4f95f6a6bb890094de484e1eb57e56

        SHA512

        78a85aeeb80186e355ce69d0478a96712328981c860216d5b15c25260735dbc1a3e35da0509378250273b0a1953ab0f7e144d5d5eb19a11ab5fa4cd94eb9e13f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a41C1.bat
        Filesize

        722B

        MD5

        ab66807078200cae651a8d8835a2c86c

        SHA1

        dccf5bbf358e2b1502bb9d875747e5f632178730

        SHA256

        5b495a765d492bd8c6f36796537df46a2a4f95f6a6bb890094de484e1eb57e56

        SHA512

        78a85aeeb80186e355ce69d0478a96712328981c860216d5b15c25260735dbc1a3e35da0509378250273b0a1953ab0f7e144d5d5eb19a11ab5fa4cd94eb9e13f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe
        Filesize

        1.1MB

        MD5

        66180e804aea0b21b5ff903a43b44b82

        SHA1

        6607b7b84e2621443769de03a841ca0801463561

        SHA256

        7b83f3577d18282997eabc5a8b8062232bf32114681bdd28f5f511db8082e281

        SHA512

        d5021a7ef3611515d2a17476b5e797e9b14d1597ac7bae723e7d6d52889e0cc116d8faa43110e05b2c95e529b2111c24598fff51b33d8ac2f158df3c67b34f9d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe.exe
        Filesize

        1.1MB

        MD5

        66180e804aea0b21b5ff903a43b44b82

        SHA1

        6607b7b84e2621443769de03a841ca0801463561

        SHA256

        7b83f3577d18282997eabc5a8b8062232bf32114681bdd28f5f511db8082e281

        SHA512

        d5021a7ef3611515d2a17476b5e797e9b14d1597ac7bae723e7d6d52889e0cc116d8faa43110e05b2c95e529b2111c24598fff51b33d8ac2f158df3c67b34f9d

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        f6b4755a189e3a523baa8f80e66ab269

        SHA1

        f16a2c976c3064621b571c992022ff58dc04b5f0

        SHA256

        2fcf5a3706fdac291356bd302b6c5b5485a497d0d8613a6cc1b69269d0b52f89

        SHA512

        8da22db3a054b9ade173c9bd6178d1a8338b44449260b3e30795c9f3694b7e76bf608531a10fe9650e782a856b32d61509d20cd9de3e2b4fef2720e4362e2e03

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        f6b4755a189e3a523baa8f80e66ab269

        SHA1

        f16a2c976c3064621b571c992022ff58dc04b5f0

        SHA256

        2fcf5a3706fdac291356bd302b6c5b5485a497d0d8613a6cc1b69269d0b52f89

        SHA512

        8da22db3a054b9ade173c9bd6178d1a8338b44449260b3e30795c9f3694b7e76bf608531a10fe9650e782a856b32d61509d20cd9de3e2b4fef2720e4362e2e03

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        f6b4755a189e3a523baa8f80e66ab269

        SHA1

        f16a2c976c3064621b571c992022ff58dc04b5f0

        SHA256

        2fcf5a3706fdac291356bd302b6c5b5485a497d0d8613a6cc1b69269d0b52f89

        SHA512

        8da22db3a054b9ade173c9bd6178d1a8338b44449260b3e30795c9f3694b7e76bf608531a10fe9650e782a856b32d61509d20cd9de3e2b4fef2720e4362e2e03

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        f6b4755a189e3a523baa8f80e66ab269

        SHA1

        f16a2c976c3064621b571c992022ff58dc04b5f0

        SHA256

        2fcf5a3706fdac291356bd302b6c5b5485a497d0d8613a6cc1b69269d0b52f89

        SHA512

        8da22db3a054b9ade173c9bd6178d1a8338b44449260b3e30795c9f3694b7e76bf608531a10fe9650e782a856b32d61509d20cd9de3e2b4fef2720e4362e2e03

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3849525425-30183055-657688904-1000\_desktop.ini
        Filesize

        10B

        MD5

        a592e6708558f3dc0ad1608608da69c5

        SHA1

        69a1224ba3b2f2ab2f2ce8b8287809f3282d20d0

        SHA256

        24c83924da516d8acac4cdc96680306f1e34a8a54696bf5bf24106eeb562195a

        SHA512

        38724fff525de3d5b413bb962c2f81369068403f761f69d00f25cd03b5d8cb83603cd6d23c87faf458f157acf585ca4db031fe6640704a4158cb5ead56ce79f1

        Download Submit

      • \Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe
        Filesize

        1.1MB

        MD5

        66180e804aea0b21b5ff903a43b44b82

        SHA1

        6607b7b84e2621443769de03a841ca0801463561

        SHA256

        7b83f3577d18282997eabc5a8b8062232bf32114681bdd28f5f511db8082e281

        SHA512

        d5021a7ef3611515d2a17476b5e797e9b14d1597ac7bae723e7d6d52889e0cc116d8faa43110e05b2c95e529b2111c24598fff51b33d8ac2f158df3c67b34f9d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\7c9c544f83b86a8f7f72e9f234721a823ddda4486019f74525334ca1e2efdc47.exe
        Filesize

        1.1MB

        MD5

        66180e804aea0b21b5ff903a43b44b82

        SHA1

        6607b7b84e2621443769de03a841ca0801463561

        SHA256

        7b83f3577d18282997eabc5a8b8062232bf32114681bdd28f5f511db8082e281

        SHA512

        d5021a7ef3611515d2a17476b5e797e9b14d1597ac7bae723e7d6d52889e0cc116d8faa43110e05b2c95e529b2111c24598fff51b33d8ac2f158df3c67b34f9d

        Download Submit

      • memory/1236-32-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1264-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1264-12-0x0000000000230000-0x0000000000264000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1264-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-46-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-34-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-54-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-102-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-110-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-335-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-1866-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1924-3328-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2784-36-0x0000000000400000-0x0000000000524000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2784-37-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2784-29-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download