Overview

overview

7

Static

static

3

12e7210413...ba.exe

windows7-x64

7

12e7210413...ba.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2024, 20:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe

  • Size

    1.2MB

  • MD5

    197d0bf6264e56daf68f482df98ca74a

  • SHA1

    15c4e1204bae02e804d32e24f8946ffb1c8c6ed0

  • SHA256

    12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba

  • SHA512

    6d96a2ed523ad2c131074037cf5b83e9edf0444e4873785dffb8963cdba02c75b620f8405386431bebcbc1baa3ed44e29b68906714956b5001842eab13e1d0cb

  • SSDEEP

    24576:e7tTp75vGetOrmT6VxjdP7mKf/el53YNEbqlrhV5L:e7QetOrmT6jpP7mK9EbKVL

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3336
      • C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe
        "C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4716
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4594.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe
            "C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe"
            4⤵
            • Executes dropped EXE
            PID:2212
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5020
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2968
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:344

      Network

      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        176.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        176.178.17.96.in-addr.arpa
        IN PTR
        Response
        176.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-176deploystaticakamaitechnologiescom
      • flag-us
        DNS
        75.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        75.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        75.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        75.159.190.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.31.95.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.31.95.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        23.160.77.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.160.77.104.in-addr.arpa
        IN PTR
        Response
        23.160.77.104.in-addr.arpa
        IN PTR
        a104-77-160-23deploystaticakamaitechnologiescom
      • flag-us
        DNS
        0.204.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.204.248.87.in-addr.arpa
        IN PTR
        Response
        0.204.248.87.in-addr.arpa
        IN PTR
        https-87-248-204-0lhrllnwnet
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        192.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        192.178.17.96.in-addr.arpa
        IN PTR
        Response
        192.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-192deploystaticakamaitechnologiescom
      No results found
      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        176.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        176.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        75.159.190.20.in-addr.arpa
        dns
        144 B
         158 B
         2
        1

        DNS Request

        75.159.190.20.in-addr.arpa

        DNS Request

        75.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
         159 B
         1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        18.31.95.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        18.31.95.13.in-addr.arpa

      • 8.8.8.8:53
        23.160.77.104.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        23.160.77.104.in-addr.arpa

      • 8.8.8.8:53
        0.204.248.87.in-addr.arpa
        dns
        71 B
         116 B
         1
        1

        DNS Request

        0.204.248.87.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        192.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        192.178.17.96.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        c75db7d2a5de1b427890b95716df0c29

        SHA1

        766c65540536ca717cc13fba183b93c9b62764b8

        SHA256

        22e2ebff999ae3c16599f5c2b6d617ea152b47139aa9b67d6e4ffe3497a2b92f

        SHA512

        81f28c7226197d87fb49b72fdc899d39bdd0f5fdcc1803cd3976d1dfb8909d888d3814c29bf5b30f446940f3076c5227b1f22365ba7a1a8b5b194d4b3c7a3835

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        dad574dc885c341fcbc5d4c45c9c0c77

        SHA1

        fcd18e3f3310a87353506f7f09b774f3e5c39683

        SHA256

        8cb6c49965007baec775208b94e5c291131391f8d2872b19c99db5b06999b38e

        SHA512

        31422b994f71763ea2a7e5ecba391b9bacf1f6ccc1e75f0179f319ade400010ec63f16c7fc48c0a13622b2ce74123e1853c06873fa5f993463e854b2edb104bb

        Download Submit

      • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
        Filesize

        481KB

        MD5

        0c5536c6a3aefefb2d4cc1cfbb729119

        SHA1

        660b05e7c4543df8ec6d4e80d6c8f3c9d667bf8c

        SHA256

        297984cb1c691abf3614c0c64ed3ed1b8cbf2e2f2efae02e5392e110a717394c

        SHA512

        9f833ca254c2e29c8fa9fe95ebeb6d62a686b99dd6597761ffb2797a0b50daa531a483f6047b8bbb059c2f15abe19aa030e67d2c1198624633146d76aebc7da8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a4594.bat
        Filesize

        722B

        MD5

        3ed037f7d4e9dc7c4ea807506f5f8638

        SHA1

        403393db289267bef36781eac8bf2d1c4e681e43

        SHA256

        11846ad6851a229b42d9d08d5e1c935703607e8841b5a6ad48f3c2d5728bfdfc

        SHA512

        1d3294983a231033927ca512c8307a22cdb929323b5345cd181548bea5ad14aab484e432fef8b81cbf7e2e44f09fe26e0895ae35d13e1da69ac69c36e22f5272

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe.exe
        Filesize

        1.2MB

        MD5

        da2926199d937e5e6dca8f15c189b9d3

        SHA1

        bee107a4524b3a54768c7a01da8d9cd441b6d7d1

        SHA256

        b3e408a3ab8f27a979dc6216f0177137edbf0b12aa0c9f0963a7d31cc30f4024

        SHA512

        bf089cd73a1a1f90ec4c865f782f35b2c421449567ceae68b8c4a52e844cd1f0c413902aa87e9c305d79ac09b03ff23c6481919a585d72218e8247e130756768

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        96561b006c0d21a4337e53c5d05029fd

        SHA1

        ec489e1d92b52c53662f28cd591d068d60b24b16

        SHA256

        a7af91485e93d2467d0dc2a1aafb6cda75418abdcae3b06302b78b943443b70c

        SHA512

        81d1a972660b01d771cba47f3ed7567acb94c448ce2a190783340a4bdf0808e8ccf53a1bbe46998596d90ff264b385d51203cfd71f22cd501cde040490725a2e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1168293393-3419776239-306423207-1000\_desktop.ini
        Filesize

        9B

        MD5

        627f23e6a85295eecfbaa9418a5501ac

        SHA1

        3aedd6b4b0d60e753e17c129fc49c6157fd013da

        SHA256

        f0b797dea0e5e1581d6d50754ef8f1f1a98209baa13b45563f349db53e3074ff

        SHA512

        54bb1e93614c2c878e83bfa7ddd9c646242251a7de1225c4d4672c0703720b901f6336233824c1df544d6ffda1d2dcccd1217035cfd55416ef3399b362abf950

        Download Submit

      • memory/4716-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4716-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-41-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-1002-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-1165-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-2071-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-4716-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.