Overview

overview

7

Static

static

3

a5dfbb7f18...86.exe

windows7-x64

7

a5dfbb7f18...86.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2024 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe

  • Size

    933KB

  • MD5

    b8f29f83d698c7c053f61e25ead1ce8d

  • SHA1

    7b27c1132ecb426d42058e7e41e6d336c994c2ff

  • SHA256

    a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86

  • SHA512

    f49150e31ed34f4d1322bd8676574538ec9292b9e2b75484119bf723a73968410e9cc8fea2f92d9ffffef088997bb519c2cfc070145b7168c60a2e86094b77fa

  • SSDEEP

    24576:2JN9GENWyYHf2T9TWZxyy2bzuRlqxWYdMD:2X9ZWyEIJWmy2vuRlCeD

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
        "C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2923.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe
            "C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Users\Admin\AppData\Local\Temp\wps\~f762ba2\Au_.exe
              "C:\Users\Admin\AppData\Local\Temp\wps\~f762ba2\Au_.exe" /from="cmd.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2548
              • C:\Users\Admin\AppData\Local\Temp\wps\~f762ba2\Au_.exe
                "C:\Users\Admin\AppData\Local\Temp\wps\~f762ba2\Au_.exe" -downpower /from=cmd.exe -msgwndname=uninstallsend_message_F762C6D
                6⤵
                • Executes dropped EXE
                PID:2508
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        00e4327e4b6292cf798d7667fcf8eefe

        SHA1

        6bd7f7ed03db7fe5cfff4692b5289b7eea868158

        SHA256

        8917644b69dc6f215faa72435d9b96b61c07c41805cb5d76061cc2452de83996

        SHA512

        3de0625da4e68d1dee3c93162909824dac255d96734264c6a9b9119cd8398a146d5f738926a160327c919706a2cff33f3a58f00143b0367f84ffedb53ba41a0e

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        cd063a49bae945a38047d1627588ee01

        SHA1

        1608915d38130f68d3398c174f206dc073814e7b

        SHA256

        ae8ed667c2ef87a5a30302264032701269ee5821aa6b33343ceb404257709f38

        SHA512

        c789f3def7d88f776b609be95f98a0876f7b1126586603e77ade5554f8538acd22608484ef9978ee6e2e9214393e4c8d3c48ac22ff7ecae9a8dba9fa7cd7a39b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a2923.bat
        Filesize

        722B

        MD5

        83f4e1aaab5a7eebd8bbc1900299a930

        SHA1

        23aee17b23a49a2808aee4563f396fa7dd52f16d

        SHA256

        c8f4a0a42d323fce032b66d63bf49e671274071452004ca2d24d44551efa41ea

        SHA512

        cf95680bbed814e49adc93def991be78b93f570b174955ae0624bc9926edc210dd8e342f002da1e4958cfd7bdb6849ce384a3f3a5f9ea933079605dd84029933

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a5dfbb7f1866d2b15adee689cc4bdfcaccdb5f71611903cbf9936a969a528a86.exe.exe
        Filesize

        906KB

        MD5

        d7b8ea84af8f998b7f344889d2e112d9

        SHA1

        99b7c68d38ccc7a8c6cee171679100d316bbfcc0

        SHA256

        d2df31a05e5c1e1b9869270157eac5f475998d17defb961072d9e1dca5cdd70c

        SHA512

        bf479b26f7752159508090643e38ba99a9f506b59485e961f00befa4dced1cf59b4a00dddf89448caddb30e044258f68ee0253f1cc56b406de99ccd7c25f53b9

        Download Submit

      • C:\Users\Admin\AppData\Local\tempuninstall.ini
        Filesize

        161B

        MD5

        0820124c60e4f985ccf7798177b8ab12

        SHA1

        bf9c3dca7e71d60381146e1f71aea41f93e165df

        SHA256

        daf958fe8a43090d39d07c9d31a0c5c5223cc340e54a1205046524af2703353f

        SHA512

        22caeeb292197fc94d80f49c5251cc6db2ced8569905a5a5b03dc30ed8c158fbb4aecd340daf896e9c043255d658a9b0b1aef6f56ef3150275c4a7dbb740fb28

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        3030179dc0c4ffbe720135ca0fd6a872

        SHA1

        dffac6c5ec0d5dc259018febe37645089a808d34

        SHA256

        f041faf839a587f7ca878c16c03e4ff64d6158e30548196c53cfbc2ad076515b

        SHA512

        b2017915ff651a5e23a2946cbfa50931725df05a2f6953d7f876cb58619c4be933464c905c0c4c83e1981973181f95d085b2e4ab77c271dab577d71829c4a1e8

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
        Filesize

        9B

        MD5

        20579de1c6702ea14f25df921a00274b

        SHA1

        fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

        SHA256

        3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

        SHA512

        e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

        Download Submit

      • memory/1208-83-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2208-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2208-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2208-16-0x00000000002B0000-0x00000000002E4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-51-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2548-95-0x00000000005F0000-0x00000000005F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2548-75-0x00000000005F0000-0x00000000005F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3052-87-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3052-101-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3052-147-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3052-153-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3052-1905-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3052-94-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3052-3366-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3052-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download