Overview

overview

7

Static

static

3

76a2757ec3...c7.exe

windows7-x64

7

76a2757ec3...c7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76a2757ec36abb133a6018797885ddfa5c28c3dd8551f1821e3c4b0f1e67e6c7.exe

  • Size

    542KB

  • MD5

    02b17ad28e07b9196d099e37c9939f77

  • SHA1

    14a5622bc30a2e14d4b2cf2a99df90bf66177b64

  • SHA256

    76a2757ec36abb133a6018797885ddfa5c28c3dd8551f1821e3c4b0f1e67e6c7

  • SHA512

    d2200a00d5328095eed81242b2e1c8e2434e7d300890d7d5850ec12955f8ce20c0e795728353253332ce274f52a887e849944c548275698d64c2cfa1e2788e26

  • SSDEEP

    6144:59TuJ/HvEm10k9mqI9PZJroJIxXY720DRaOOcnR2m9Xlqkuxl:fa50k9mnRT0JIxQ4Obkxl

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\76a2757ec36abb133a6018797885ddfa5c28c3dd8551f1821e3c4b0f1e67e6c7.exe
        "C:\Users\Admin\AppData\Local\Temp\76a2757ec36abb133a6018797885ddfa5c28c3dd8551f1821e3c4b0f1e67e6c7.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1803.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2348
          • C:\Users\Admin\AppData\Local\Temp\76a2757ec36abb133a6018797885ddfa5c28c3dd8551f1821e3c4b0f1e67e6c7.exe
            "C:\Users\Admin\AppData\Local\Temp\76a2757ec36abb133a6018797885ddfa5c28c3dd8551f1821e3c4b0f1e67e6c7.exe"
            4⤵
            • Executes dropped EXE
            PID:2612
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        568f17750238ab463c745953a303648a

        SHA1

        25e9de37d6edb52c584c442e4f93a0448b4b37d4

        SHA256

        5351b82387339c78b116a077f2ba633da2a6fef86a165d92bfe28c2c3770ac81

        SHA512

        9034bc060e8155e07009d2142830f03b29c50525232fa1719038eae4fc742d460c5dad7b7fdd6957264c338072fbe71193a23d994510dc809ae240023b9f1ed3

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        82d95ff3c368229d3ecd547bfc2e95e4

        SHA1

        05c2c8065f243260792924168f85c614057119e8

        SHA256

        5fd8262ebaf159fa1ba5a2b80dad6f98477d1f549a651fc1a327f0dd207f2fdb

        SHA512

        27815b93d6070f7026c23ceac6210a78e694616d6a6a2012369b271e2d2ec986438f80dd3a29db4c4419b08084cb5a5914af216177669b86d8e2ae7184691699

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a1803.bat
        Filesize

        722B

        MD5

        d850a2e801e2d9db26efc02e91a2c32f

        SHA1

        a237495ced80a2c37f16c9c94d0e5149bdd7ffeb

        SHA256

        489230f56b9cd41e82a7acd41ff7fbe8d9f22e2751480cc080e1b1897bb389e3

        SHA512

        91622294f4031e4b86a2f0e53f9b33afd69d79b627105c30b665287d67377a6dba11345f80804daf217f1c6713eda6c0b6b1d6ae0dbac5e054c1a20e676d900b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\76a2757ec36abb133a6018797885ddfa5c28c3dd8551f1821e3c4b0f1e67e6c7.exe.exe
        Filesize

        513KB

        MD5

        d5d7bb2df540e82f2692509ea89dd0c3

        SHA1

        0a000893482fdefc9adf9011df6a63368653f599

        SHA256

        d8597c0794ff1bd674698d44d755207227d24a1ea1325215364e9976ee594889

        SHA512

        dc80a747160d0948bad9ff0ba3b5bcc1dc05bc8a2d41f3bef46b3d4610fc105f7d7d62a79e99fed8ecbeba38d06c3ed90f1005bfd55db2547b86b58f9593d899

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        886eb3bf6157b45d4a041e1e32608c70

        SHA1

        f476a007366ac0349789b0e803ec46be523f457a

        SHA256

        a0e9eac517b54fe732db8bf9ceeb76c64a43e2e53bfd18b5a4ab0f8475f3873b

        SHA512

        6e978385b23d3054695eaf2209e92591a667ccbde747f69cb63ae28f2db3a362d136bf16afb41ceb8eb304161cc698853f9cb825a26cc683e9a693d07c190fca

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
        Filesize

        9B

        MD5

        bee060a5a21c2ee336a3be2d621d820c

        SHA1

        ab3e106aded9b1727cf8ef31b2368c277ab43323

        SHA256

        d40238bc26383b924d6c44505dc8ce65209cdd27a9b97bc0ec499815a11c40e5

        SHA512

        89063c16782ace7c04ffbf362bde459836dbdaa3c2e323e8fe082b6956ada4680dde30e24d28d62bff9ab3cf9364e3b06e7e482e5fe953fa85728d6d7ac59b37

        Download Submit

      • memory/1136-28-0x0000000002D10000-0x0000000002D11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2388-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-15-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-43-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-89-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-95-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-534-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-1848-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-2155-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-37-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-3308-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2560-30-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download