Overview

overview

7

Static

static

3

2dbb8d0990...24.exe

windows7-x64

7

2dbb8d0990...24.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    169s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe

  • Size

    99KB

  • MD5

    ceea6638b83ca939a0df100d39de574b

  • SHA1

    0c2d176a1b2b8e051d9998173835c523a7a2efa0

  • SHA256

    2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524

  • SHA512

    b3c8e659ed51a04d8035ee38e548faea672db93d2e8ec8bf3206610783e2389a7680408d3a30bfe0b16bc8cc89776e3792956992691bc8531038938ec01647d5

  • SSDEEP

    1536:xfgLdQAQfwt7FZJ92BsQCKBAR2pmU/BGhkp3szGPpbTDblnYVJV1PBs:xftffepVPn4ARXU/HZ9/D8Ds

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3144
      • C:\Users\Admin\AppData\Local\Temp\2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe
        "C:\Users\Admin\AppData\Local\Temp\2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4949.bat
          3⤵
          • Checks computer location settings
          • Suspicious use of SetWindowsHookEx
          PID:4392
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        484KB

        MD5

        07c5e9a9f606b5ae33bdb24d21af81bf

        SHA1

        58be120b62a58788956df840d4462515829cf0e4

        SHA256

        60ebb105f4147a89b4abc067a1e66dd97757738f945db1a90bf9799d56a45b94

        SHA512

        c18d2519cfc5bcaee1483e4a77b6bbe9241310580bdeefee14870aef3973f113ab487ec58ee7d081661eb21e6c3a98f2044aa4b24cf0ee56a3f22e7321ece6ad

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a4949.bat
        Filesize

        722B

        MD5

        ae756d9c40431413386fef08b623faa9

        SHA1

        e4dcd2c74e530a555310a3355a650a0afac314e3

        SHA256

        a68731e76a700b7ad30fa3100e696e83dc64013063bc2afbe6285cc26f74db32

        SHA512

        b7b69e35d3af26a8fc672d0e4d843dd056c999938a87a31b376ca60fd2a9cdbbf41771568462f3a4d30d5876d796525ca4f042331a74c2d68992d2b8875a6d83

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe.exe
        Filesize

        73KB

        MD5

        a2f63aa3630f40b95ea45dca951a6785

        SHA1

        80f8cf7e7134682e661b1bbc08979d14bce13793

        SHA256

        ecb8c2817df29a2c6d5057dae4a4ffb4a7bf4ae3e33aeca4be9f635c06f0380f

        SHA512

        5e35ad38e9852b489a77a6d5ad028c5645b6c6987a6fee2a660186c34afa6ffd6db1dd255fec3ea5a92dc462c02832c9ed10bfa1772f9fed9aa774774c6662d8

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        8758044db9fce67ea2ad542f86e69e57

        SHA1

        60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

        SHA256

        0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

        SHA512

        411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        8758044db9fce67ea2ad542f86e69e57

        SHA1

        60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

        SHA256

        0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

        SHA512

        411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        8758044db9fce67ea2ad542f86e69e57

        SHA1

        60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

        SHA256

        0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

        SHA512

        411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini
        Filesize

        10B

        MD5

        b00c1a89b15effd3d1fb2de4fdc7bee5

        SHA1

        0c3a4f06bcd397d1d3a63ab2ca05e64cc7ae554d

        SHA256

        0767fccea7e57d6427b0a9b440f28687f4b835409c5dcdeb337a479009222cd9

        SHA512

        b50a3c1df331ecd7dbbd88c202c7b7b8fe6ece8df96249d88f40138952fb3c523f6f133a2d12daa2fd892643b53e4c19b39bcb16ef810f789c996e00bad03bc0

        Download Submit

      • memory/1132-13-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-1-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-9-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-42-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-180-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-489-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2836-1118-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download