Overview

overview

7

Static

static

3

13b50062c5...67.exe

windows7-x64

7

13b50062c5...67.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe

  • Size

    1.5MB

  • MD5

    d66053fc3341ec49521bb008a56e13b3

  • SHA1

    5ca1c63da94631735373223ae40c4fa4cbb9505f

  • SHA256

    13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67

  • SHA512

    7ff67562c7fc81617a99c30a42ff538984ac769906b317585ad13fa0d2f3cce2629c75b05f0b654bda9e5b1e1d621f6e6492a280ff8c19593658e8373187b7ac

  • SSDEEP

    24576:oj7Qyl1u7cftBwMIrQeuuGUcrXT9GFWpiZ8eFDhrWBvO0yjm0Eeek:67ojMrXTgFW0CeFDhrwvoek

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe
        "C:\Users\Admin\AppData\Local\Temp\13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7E06.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Users\Admin\AppData\Local\Temp\13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe
            "C:\Users\Admin\AppData\Local\Temp\13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 248
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:2604
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        aeb069adcbfda1491d76c00c205f8b3c

        SHA1

        e57c21f18dbcd4c6fa2f044dd2cbd5c2ad2dbe36

        SHA256

        e1abd7c73068925ef6f6906db37c5a1648c1ab0992f06c47f0fe5ad51756afcc

        SHA512

        ba8c1f500d0ee704ba55b13fbaf50d70bac18de4def90ac3c5fd90adc298b8d314eb69a11ac5b4efa78d2ece2b524d8ee0a6566c9b3713356fb2610a17d3ef25

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a7E06.bat
        Filesize

        722B

        MD5

        c77be3bd5ae9a3b2bd6be0adea258267

        SHA1

        1ce2b7a45a674f23c1e6426fe1ed2e7a51699306

        SHA256

        fffe19ba1dfb64107a2d22cb1690e124ae6ea320b10e14b0cc9bd76754ee7c93

        SHA512

        d6713664782e1a88de755abc8a80b2f153b87cf6969c1eac09f8bf3ebacf4214ec645a74e0b3c22000103589e628e2824cf04a8b2dabc6160e865cf29e623328

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe
        Filesize

        1.4MB

        MD5

        8d9df6cd18efc65cd45e078c466b4174

        SHA1

        9fd75e1be8184b8369afe0e0b50d55a858a0230f

        SHA256

        65f6b83c5a389c43f02ff356f7c2eaa4bd48b8cbd1da7aca19002966f26f18c2

        SHA512

        0e1e8082c2455cd70aa494981671d99906e712761a14a4085e24817e34dd147b6fb0e087d0f6bb82b3eb005da5bcd5fcfece6c43d79bfdf7854e9a1b6b3781f3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe.exe
        Filesize

        1.5MB

        MD5

        5a92913765d0363713a5ab9b93a99161

        SHA1

        6dd616093e601c59afd3750a3a6c6cd136fa570a

        SHA256

        5d677e6d02b9fd815f2d536b65da46e809eb9209e534c9accd0333726eb5db71

        SHA512

        72a4d7823fdf60387cba2f244844c4868d53574492c1312ccdb28865d16456c6c8968a56452690edba3763a1da1ca4bcb2a1513f3b1c94487063a4219b80e41f

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        87ff48e9d7eb3205fc1ac497dac87d3c

        SHA1

        7a0ecfa28b8d30ade1775aae68586a4a94a08377

        SHA256

        06af54c48a12dce50cfdad33d0ec7b710329c9d690644be5d2184b9b1c903ad9

        SHA512

        ff1a42da2c0fb4d7c4dddab6952fd373c784758aecee9e635f28af265f7a3500818f94ceedd90c365bda9a0f131c097a38f969eddc605b7499d5d31f6741173f

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
        Filesize

        9B

        MD5

        d69146fa3f15be895e219a620fdd153b

        SHA1

        fa21485227046ccf2d7638b4236f749862dd4b64

        SHA256

        406651396485eef0c407fc8241aeaa805a311294cdf7abb18ca20e8540694652

        SHA512

        b0509216c0bd6ad432374c98f3fc2f2919d9353e4bccf510b20e0cbbf8a0fdf77ccdeff786df0305f83f22865794cc675537e51de5a1478fc8431999566701c0

        Download Submit

      • \Users\Admin\AppData\Local\Temp\13b50062c59c817eeb93fc9fe50b43595b537a40aa18f3d12f2f5ba389218b67.exe
        Filesize

        1.0MB

        MD5

        171810d060de574ffc9fde429c899139

        SHA1

        7040deff0b0cd234505265e0626bf27ed56d6fca

        SHA256

        efd7e24e7d5c4aec7e6cd5fd63569b4c6df79ad7a3215c5b91f02eed6ee4d5f3

        SHA512

        1c2093bd5bdabdf564ecba0ad78815be60638fb0192588f2345112b418f15a05bb3c15712414e5fdf7efa030c07e4cbd7e359589db80cc91d610917631e908c0

        Download Submit

      • memory/1364-36-0x0000000002600000-0x0000000002601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2248-46-0x00000000002A0000-0x00000000002D4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2248-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2248-15-0x00000000002A0000-0x00000000002D4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2248-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-52-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-105-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-293-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-1857-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2940-3317-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download