Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 19:16

General

  • Target

    cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe

  • Size

    3.3MB

  • MD5

    52c24fc732ae5d03dd73aea086e72ad1

  • SHA1

    4bc9ae3dfd63f593d3a18fb116e3b33975ae4447

  • SHA256

    cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619

  • SHA512

    7ce869f91bbd096067f4316f58a5ec3971d2e76e90212b645fc97c0da7d41fc5f97f6cb1819ac80643b0dbad1d1b6e62fea68a462347ee8eff1be2af213e3519

  • SSDEEP

    49152:nD1wyVu6kLS4U/DiaJ0de0r2AJisyYy20QkTu5dPkLoJjEWJ:5wv6kw/eJNHy2z+LoJjEWJ

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
        "C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5ABD.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
            "C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"
            4⤵
            • Executes dropped EXE
            PID:3004
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2308
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      1⤵
        PID:2704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        254KB

        MD5

        21bf7ddf289399c445b4d9218330a791

        SHA1

        34a1c135f4466d6a9e7fb8c5c7064686393df9b0

        SHA256

        dbc084ecd299645cbd9763ef936a492ecd2165e1359fddbcacd804f25aa13874

        SHA512

        3d97fba0c3bf09651e9149234e760b557ad221d4258663db7849d09b479029677afcefae1aef5b6ce33f2838bc668b664bb99d07517bf520da972e8ac4ec6df3

      • C:\Users\Admin\AppData\Local\Temp\$$a5ABD.bat

        Filesize

        722B

        MD5

        e1ba1272d17b9985ee9423f9a54ed39b

        SHA1

        221825f08a8e3248dd6955921f86ea747da76818

        SHA256

        de587b3a0aea3486c4e9df17d9401e531175cd2c47e9197de64aa5d2bc264243

        SHA512

        abe30fdd62334a231cdb66c4d2806c51a00232d2cba8fac3af06e4858dcee3efcdc6afe0d681827142bbd98e1f15d0bad8fee01adc5b60d8c153310dc3a94e2c

      • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe

        Filesize

        257KB

        MD5

        7451d05eea016a0f4d0945f57a1a3304

        SHA1

        317c45f558777fc1bb6e3977af47c36cc70b02c1

        SHA256

        f7b2eea91fa2ae888b74e89cd8193a906f9f2cab9f8719980976635ff752095f

        SHA512

        68eba56e72183a9e5c9bf15cf0bbd0dc2b1a801620b0e2d240b3ba0fe864c1d0dcf6a008375e0da3b7371923d8b5965d3340865d733e05c5939ec463aafa87e4

      • C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe.exe

        Filesize

        1024KB

        MD5

        693243c45bf3aff63cfdbde9c61d0736

        SHA1

        f05be7171535ab3ab478670b57130667427ddbf8

        SHA256

        854850fc130b54c43107aafd7639a8a212fa94db68fcd015ec7b56a03e3c6024

        SHA512

        1ce6f64faead55386a60568f3b02f780793cb7001f940a97f38ebe3d60cc141bf7ac650e7f2d20ed258df58de9ee16e45980f0c7bd1e3b82f7320390ceda5fac

      • C:\Windows\rundl132.exe

        Filesize

        29KB

        MD5

        3f8f6ddcfd8d2e131ec9ff9ff2090ca1

        SHA1

        bc69b2fbbab6fc66b5e8bd2ca7a358bc7000b44f

        SHA256

        d33385041bbdbcbf890a8f56eb6877b4ecc87d319b10944074e97df9620bd8f2

        SHA512

        3652c4658d4a200d23ce970ee61b7831f4f91a121fd3ca6a5254e1a4dfe9866ceb17ad039bc1f30289b38c270ab6bef0d096329126acb285ad4d6f0c6bdcb97c

      • F:\$RECYCLE.BIN\S-1-5-21-1268429524-3929314613-1992311491-1000\_desktop.ini

        Filesize

        10B

        MD5

        0c6beb6d4da16bbf902e01a42ff163f5

        SHA1

        aeeec783750199c10f8dd6e8aa828a44233e760b

        SHA256

        2c5a0b332a8c9449c746ee8dd0d751b77f5ff89c525609cd48a7959a9cf2e793

        SHA512

        3f4ec9bc64092ea98aee91777e052f410194ce728890df45cbeccb60c321c5547e52eaae747c8b64c4f8a9c22a04c0f20146bb7cc5826552ae23e3be8ccb7c3a

      • \Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe

        Filesize

        576KB

        MD5

        f499c332ee83352289ac4308317ab95d

        SHA1

        d6cce866a9fdc71f310876824828bcfe26a44f08

        SHA256

        be1f0b258d2efd581e06497764f483ce6c9cba66b8d42ffb24b21246488b22c4

        SHA512

        bfd20781678a4cdccf3679205fabb480042449dd23befd65aa36ae905a0c9c2e0d3195f22593b15b46543a39378ac8240fff76ea508e6d9badb1ab5126e1d69e

      • memory/1212-29-0x00000000029D0000-0x00000000029D1000-memory.dmp

        Filesize

        4KB

      • memory/2468-16-0x0000000000220000-0x0000000000256000-memory.dmp

        Filesize

        216KB

      • memory/2468-15-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2468-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-31-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-38-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-44-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-48-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-1287-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-1850-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-1851-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-21-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

      • memory/2824-3310-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB