Overview

overview

7

Static

static

3

d47c8e17db...56.exe

windows7-x64

7

d47c8e17db...56.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/04/2024, 04:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe

  • Size

    713KB

  • MD5

    685343f59bbf29ef174a21ceab8c49ce

  • SHA1

    6376efa7df6a519ac88388319213227409628881

  • SHA256

    d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856

  • SHA512

    c1d3f3ac571ccfaf0960458777ecdb9dd0cdbd645a555a870162f6539d5b9317047a3f08656b19a3f16b3298b874da551fb6d8c0a1f4e5efe687b0082e14ee80

  • SSDEEP

    12288:PfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:nLOS2opPIXV

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe
      "C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a476C.bat
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe
          "C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe"
          4⤵
          • Executes dropped EXE
          PID:2672
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            5⤵
              PID:2544

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            254KB

            MD5

            a036bc46b8f17b2af3637b788423d6b3

            SHA1

            f1ffdfb2ecf8ef1bfddcf0a2a42ac62c234bbf87

            SHA256

            bc659808d3143ea5818d3939662cc861ebc1b7d58c3dc08705017af49a700b1e

            SHA512

            b72703148c657255dc4f10b8b101f19385f0b487a503408b79d91bd1ace979e8374c938bf7d5bd590b1ef277b02837701252792b8b92917640591f27199aefe6

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            474KB

            MD5

            c14a5111b798cff20d7d66b0e035d409

            SHA1

            29f0894552b30815fed6ad231b5721e876869552

            SHA256

            fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

            SHA512

            a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a476C.bat
            Filesize

            722B

            MD5

            9f1e889df1d087168b56933b89a0e5d5

            SHA1

            cdecda0f61abd889c49fe381041508a5c42e0ddf

            SHA256

            136eb4a7da8e695d564af0a4e2b85c07a18822518fc22e6df9f94ab9ea55577c

            SHA512

            06e965eda64591fc6b171d122a00089e95e59af0775a545705e3a95e9846acdcddebc87b8b80caeae19e3de3cf3c91bc14aeaa6d2ac3ce66df1adc1b734d946c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe.exe
            Filesize

            684KB

            MD5

            50f289df0c19484e970849aac4e6f977

            SHA1

            3dc77c8830836ab844975eb002149b66da2e10be

            SHA256

            b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

            SHA512

            877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            29KB

            MD5

            3779b7c17bd509ec3a5074fe2d4b29d1

            SHA1

            03ad48fea32d38ae5b61e125aece75b5eb4e564d

            SHA256

            6e33fc0dcbafb1c8b0f74ba3d95f64c1240c4a6ebb3e93888c6324b81a722453

            SHA512

            28a8fa23da21f7a77aaecb5dcb1ad0cce08d1118ef8644276ff258c583d0ab102ec861f1fe623b856e36e65d04db3dfb7db3973b2e1b56eff136b965da26aead

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini
            Filesize

            9B

            MD5

            02ced53ce3f5b175c3bbec378047e7a7

            SHA1

            dafdf07efa697ec99b3d7b9f7512439a52ea618d

            SHA256

            485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

            SHA512

            669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

            Download Submit

          • memory/1288-32-0x0000000002250000-0x0000000002251000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1908-44-0x0000000000220000-0x0000000000256000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1908-16-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1908-20-0x0000000000220000-0x0000000000256000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1908-0-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-43-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-50-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-96-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-102-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-233-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-1855-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-36-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-3315-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2956-21-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download