Overview

overview

7

Static

static

3

bcaa52cac7...c1.exe

windows7-x64

7

bcaa52cac7...c1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2024 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcaa52cac703a42fe13fb1a8e8640a5f9a1fd397fe1febb4413a832bc90f47c1.exe

  • Size

    88KB

  • MD5

    0f9a03adad8502ac57209b486eaf746f

  • SHA1

    59793e041534b72744869dff56d4523e01ec6412

  • SHA256

    bcaa52cac703a42fe13fb1a8e8640a5f9a1fd397fe1febb4413a832bc90f47c1

  • SHA512

    6cf1e41934bd51e266e80c0c84d6bc7dc3f20741122fc7d9137fadcac337d5cccc142b69517b4b731e3a187c31ca0d35306fd4ddc29b88540d135454d6b46ba1

  • SSDEEP

    1536:pKck3SHuJV9NralnvtMgFPpIjjvUG+PdUFuAoUOshm/qoK:pKckkuJVLsv3SHv1ydAOss/U

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\bcaa52cac703a42fe13fb1a8e8640a5f9a1fd397fe1febb4413a832bc90f47c1.exe
        "C:\Users\Admin\AppData\Local\Temp\bcaa52cac703a42fe13fb1a8e8640a5f9a1fd397fe1febb4413a832bc90f47c1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a46E0.bat
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\SysWOW64\InstallShield\setup.exe
            "C:\Users\Admin\AppData\Local\Temp\bcaa52cac703a42fe13fb1a8e8640a5f9a1fd397fe1febb4413a832bc90f47c1.exe" -isw64"C:\Users\Admin\AppData\Local\Temp\bcaa52cac703a42fe13fb1a8e8640a5f9a1fd397fe1febb4413a832bc90f47c1.exe"
            4⤵
              PID:2972
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2764
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2688

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          254KB

          MD5

          22d003d3f5edc56ca7ec1e07f50145db

          SHA1

          0a831d187f1e656e29900a871039f9682f1e3f10

          SHA256

          db47539501bb96d6ee9207e3021c989985864c5426b907cf330de7aca5058c70

          SHA512

          d0919f9a98731cc619ac07836f5e4dd6d8793665909fdb1d9de526be6ed7bd787bbfb52034a8596304cee07ced99635e7e966a88b79b3244c0fc169025558367

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          474KB

          MD5

          25408b7ff8c885c99c0429788fcc1320

          SHA1

          e5a91f3984dd3569a32a8b82c95a5430e828eb75

          SHA256

          ce5b5c337e6b25e7ea60ab1a528dcf8c70e952761b99c47a5051a17aabd9462c

          SHA512

          680cfc4bbcf7859075dd43a4a4e3a41084cd3e4783ad3fb35f1d9ee1971a3324ef132f65bd8afd9e245eb2ffcd27e02b035f1f96a0a97a06c37b620849d68c15

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a46E0.bat
          Filesize

          722B

          MD5

          6b80a64878a4dd78218a75609838111f

          SHA1

          df5f4fa5cd3bb7cda6bcafbf04065e0e1cedaae3

          SHA256

          ba7afda29efc6c29396fe2e36d02e8fc2b8d4de727aef9d0d53ce4e95c2b6ece

          SHA512

          4bd942dc7b57508381d8c37dfd0993d2b5cfca7107bf935d3191792b93aa09c0e116391b93b9fe3f05a3ffccb445297b1cd22e07b0c41fae428c37eafb447bfe

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bcaa52cac703a42fe13fb1a8e8640a5f9a1fd397fe1febb4413a832bc90f47c1.exe.exe
          Filesize

          59KB

          MD5

          3e6786059721b2cd79665d5fbbed6a7c

          SHA1

          2260b5b2c565f5a8c03d5d418384538a315200ca

          SHA256

          dab500bb3283cecf0079891fe5082c9e4442e19b88e7cbec95f4d873a6bef968

          SHA512

          cd5e1bf4b51443df34e2e43b7e650ab42b852ea551fa6e3738efa7fe7a947610ef12ac729d60ab4b3bc38f13c82d5340513ef9cdd326d7eb57d0a2224cc2927a

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          29KB

          MD5

          d8bdfe1646d2659fdb23730409bf38ae

          SHA1

          887fb9da472efab54f9af265cd7da777b3430db6

          SHA256

          9e4d074cb14179eecfb995d1fb507779698cc72ed445596ee23b9daf6966512a

          SHA512

          feb8ed7223513c3c0ae9593a6d396944f69d51ede7f7dcef7eb8e401a1a5cdd5fe5f3dd54716c6810e5458f737ecb90ad9a4493add1bd196354e1bb284b12939

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\_desktop.ini
          Filesize

          9B

          MD5

          0b7b9562015af2b7e19efc062b59ee14

          SHA1

          bca831ddb43ecb24747e57434d4b443497801c21

          SHA256

          7ef40a98b77a81085c0a426908276cbaead1573daf25f79344d7b4502d953774

          SHA512

          bd3c5f0408ac0ad1b82734cc0c4aca5fa6c96c901307f2e85dc4ce6d1db5a91ac6f7e4794e84286813fd94c648665a94f3496e5d22f6b0f624af4b795871f5a3

          Download Submit

        • memory/1196-27-0x00000000021F0000-0x00000000021F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2216-17-0x00000000020B0000-0x00000000020E6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2216-15-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2216-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-29-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-42-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-88-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-94-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-199-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-1847-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-36-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-3307-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2408-21-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download