Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2023 16:38

General

  • Target

    5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe

  • Size

    404KB

  • MD5

    4302111a17bf69deabfb58f128c71adb

  • SHA1

    c9bf282ed4a976bc9dbbd9da845dd997b800a821

  • SHA256

    5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623

  • SHA512

    d463a0677a6bb7f47d771805ccd2cf9b41d03ea3e67cb52d14c35db56f69135a5b8e93b2d2624675c1b9a2cd6d3dea2a1709b9c31dbc9d029f5d4eec3df09e16

  • SSDEEP

    6144:VTVfjmNKYJDqxN39AkK829a9ZFFxEA+67DTcaBbm3opTGwGrzSSmO5TCchGHLUs4:Vp7+pANd9ZFgA+6Ya4L6ddgR

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe
        "C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a514B.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe
            "C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2816
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2832

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        251KB

        MD5

        3d155daa199ad799f9ccc932630abcca

        SHA1

        a4bd194a97e046ddf5ccaef03debce2c79b8fbea

        SHA256

        49a785cbb804a40b71f337a7b5b820d784b03a49bbe6d859463f7cdb9fd60cc5

        SHA512

        c50fdff168ce358f32fe9e4e58e09fe74590498fea4849a9c92020a10bb7729778f63e2a37d0aaadaca4a7e9d87d36ac7ddd35dc1fbcd5c1b3b193c77c6865a2

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      • C:\Users\Admin\AppData\Local\Temp\$$a514B.bat

        Filesize

        722B

        MD5

        d25298ec3b6403e91643dbb0362880d4

        SHA1

        9a41566f1a6cac5fa0eb9656b9bc5f84b4af996b

        SHA256

        d910915a9862dc43bf1ea33452dc5ff756fe56ceefa601f91f16c118c790c1fc

        SHA512

        65f2acf756affe39985ead5cc5911ff1918aaf809ebb48628b061a8a052008d69669d4429a940047d51ed1d756fb5710e6c437acfe38d39299d7553205e8e069

      • C:\Users\Admin\AppData\Local\Temp\$$a514B.bat

        Filesize

        722B

        MD5

        d25298ec3b6403e91643dbb0362880d4

        SHA1

        9a41566f1a6cac5fa0eb9656b9bc5f84b4af996b

        SHA256

        d910915a9862dc43bf1ea33452dc5ff756fe56ceefa601f91f16c118c790c1fc

        SHA512

        65f2acf756affe39985ead5cc5911ff1918aaf809ebb48628b061a8a052008d69669d4429a940047d51ed1d756fb5710e6c437acfe38d39299d7553205e8e069

      • C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe

        Filesize

        378KB

        MD5

        00f8f1a85705f7533255d6caf892cc02

        SHA1

        89de1eeac3e28d27844d29c1bcfb536379ab5632

        SHA256

        428115181572671d1f6b8e3d21f27705be0789a1c8d8cb01f97a2ac47cff8d93

        SHA512

        208ff4eb218fe823c5a7b32980c313d7ff661b7966f0313963081f75c5afc0f2b1f0cedfdbc7dde6e812c3e918e21fa2f3a8f566cd58848c71ef5fad87d380d8

      • C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe.exe

        Filesize

        378KB

        MD5

        00f8f1a85705f7533255d6caf892cc02

        SHA1

        89de1eeac3e28d27844d29c1bcfb536379ab5632

        SHA256

        428115181572671d1f6b8e3d21f27705be0789a1c8d8cb01f97a2ac47cff8d93

        SHA512

        208ff4eb218fe823c5a7b32980c313d7ff661b7966f0313963081f75c5afc0f2b1f0cedfdbc7dde6e812c3e918e21fa2f3a8f566cd58848c71ef5fad87d380d8

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        ffa33fa7aa580111297ca0f65115012a

        SHA1

        d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a

        SHA256

        07e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad

        SHA512

        e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        ffa33fa7aa580111297ca0f65115012a

        SHA1

        d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a

        SHA256

        07e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad

        SHA512

        e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413

      • C:\Windows\Logo1_.exe

        Filesize

        26KB

        MD5

        ffa33fa7aa580111297ca0f65115012a

        SHA1

        d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a

        SHA256

        07e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad

        SHA512

        e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413

      • C:\Windows\rundl132.exe

        Filesize

        26KB

        MD5

        ffa33fa7aa580111297ca0f65115012a

        SHA1

        d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a

        SHA256

        07e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad

        SHA512

        e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413

      • F:\$RECYCLE.BIN\S-1-5-21-3425689832-2386927309-2650718742-1000\_desktop.ini

        Filesize

        10B

        MD5

        7af371ae7aad351d505f1b26382de243

        SHA1

        0a19bf0a1ccfb902a03b3da68bdd289190e62f5f

        SHA256

        4fcc643d52dbc25dd57a011e27cbb0503711cf1a2ad1610a4f9e7b9f17c5bc1b

        SHA512

        1127b9c88de9e2d58f7a512dd52c31bb9d96b0543f13e4cfff59ca2b73e60307538dd9bcd1c480e6d260fe45b44208a5554a5a60e8c2e3da8385b2cdd0e77d3e

      • \Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe

        Filesize

        378KB

        MD5

        00f8f1a85705f7533255d6caf892cc02

        SHA1

        89de1eeac3e28d27844d29c1bcfb536379ab5632

        SHA256

        428115181572671d1f6b8e3d21f27705be0789a1c8d8cb01f97a2ac47cff8d93

        SHA512

        208ff4eb218fe823c5a7b32980c313d7ff661b7966f0313963081f75c5afc0f2b1f0cedfdbc7dde6e812c3e918e21fa2f3a8f566cd58848c71ef5fad87d380d8

      • memory/1216-30-0x0000000002C90000-0x0000000002C91000-memory.dmp

        Filesize

        4KB

      • memory/1344-46-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-40-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-92-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-252-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-1851-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/1344-3311-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2244-18-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

      • memory/2244-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2244-17-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

      • memory/2244-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB