Overview

overview

7

Static

static

3

427f9615cf...01.exe

windows7-x64

7

427f9615cf...01.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    100s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2024, 02:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    427f9615cf393b372949ae9b027a3e01.exe

  • Size

    330KB

  • MD5

    427f9615cf393b372949ae9b027a3e01

  • SHA1

    048293ce62da9d65a6df04ca57bdf0e0b90de2f6

  • SHA256

    8fd593fd43f03a3e1b2490663e0a642707b363666a653cd10fb14a3d1f2b67a7

  • SHA512

    804a90f01c9e4133684db3512202cbe7323bffe6686a7b2d5b0934d6a42ae15b12bf70bc7e4b3a8eed611e31a7da7c7c7e79573467d033db1943f916bf6fa61c

  • SSDEEP

    3072:CftffhJCu/IQqifsI2+wrIk95SICKPsyEjvTtQXkVqKgvqgyAN9tQRiBE+y/Z:SVfhgu/1x2F0iSIGN7pmvX9/Q9Z

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe
        "C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a12F4.bat
          3⤵
          • Deletes itself
          PID:3032
          • C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe
            "C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe"
            4⤵
            • Executes dropped EXE
            PID:2688
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2660

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\$$a12F4.bat
              Filesize

              530B

              MD5

              0cfc0c47926ff6c1dbcd0b199e02367d

              SHA1

              94ccf49abe8afed69317e477c8a6f305fac08cb8

              SHA256

              b0406c147d57299ed26f0121cabaad53421df791bb62b37eea05b5694d86a090

              SHA512

              f2bd0e8ef5c450d4b83667c7ec545f6aab84e03febd172696232a829c619cfa54086f67f3b7e0e6893dd1b0b5a1898895dda1480e8480d07733e15afd879b820

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe.exe
              Filesize

              304KB

              MD5

              32856c61ab3c0711dbf54890dcd0755a

              SHA1

              d242f8115fec145dfdff0a0729f34991027bd7a3

              SHA256

              de6e79f384444aebb61c5d38044ea430c2911162d1a3770267a63ac2cd9c03ab

              SHA512

              00fd2b0e4965b7a85ca772a34fae8fdeca14dfc5bc347412ebe6d15017ebc07f22cd78d9f6f9f61c49ba26ba62a21bae6721488872be97a6ffd64616320f83a8

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              26KB

              MD5

              4deec1ee4c508e658e9ac56bd4e367d8

              SHA1

              8449fb96da6490e6abe8e6aa9cd38051f2c39625

              SHA256

              e4af0831fd974f9cbdbeca824ddeaf6d14472d0078aeb60fc3ed31c6189a763b

              SHA512

              7fab6020e1151beec9f8bc77c520c1ae60ec76815a24fbd5551b78a696611e5f9639f34671e84885fee17a227263b4904c47deedd0734c6c5b38fddfcd908b40

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\_desktop.ini
              Filesize

              8B

              MD5

              209b72362215bdaaf45b2d2388ee962c

              SHA1

              872a46c03b4ff1322f5dd750c7ac0a07e5113ca0

              SHA256

              56dc9a9a2aef97a2582545195a5ae52880339dff396cf5a749551379418aed62

              SHA512

              45e9bfd535948c288f7342c28cc31fa63331dddc3b2f38afeb6cc1547f1301c46c97f9925905ee4d0ca46bb2d5f40181b913cfeaf9763ae6a38debdd24db7cc9

              Download Submit

            • memory/1180-29-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1656-16-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1656-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1656-15-0x0000000000220000-0x0000000000254000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-44-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-31-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-21-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-38-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-90-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-96-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-1114-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-1849-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-3124-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2616-3309-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2688-27-0x0000000000010000-0x000000000002C100-memory.dmp

              Filesize

              112KB

              Download