Overview

overview

7

Static

static

3

621414d6d4...7b.exe

windows7-x64

7

621414d6d4...7b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    621414d6d493aae06720a08a7a22780947eb23bc37e70c9443ac693947d6bc7b.exe

  • Size

    406KB

  • MD5

    5ae30351061c9e5679eb0423c9981f7a

  • SHA1

    eec332120c113baac932263f398d4300fc563a72

  • SHA256

    621414d6d493aae06720a08a7a22780947eb23bc37e70c9443ac693947d6bc7b

  • SHA512

    e0c9db57addb7408f273f2d28e4e7eec6a6651cdffbd8e46f70d5dc737a3bd48d6667b7597a33b709c2f06c764ff5724af312e103a912c46e13f2cea3b9af298

  • SSDEEP

    1536:rfgLdQAQfcfymN7tE2/lnC0k3AShxotQp/sfPbFzRfe849HT1nfCTUNS47Ku2+r9:rftffjmNBWp3O

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\621414d6d493aae06720a08a7a22780947eb23bc37e70c9443ac693947d6bc7b.exe
        "C:\Users\Admin\AppData\Local\Temp\621414d6d493aae06720a08a7a22780947eb23bc37e70c9443ac693947d6bc7b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1A06.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Users\Admin\AppData\Local\Temp\621414d6d493aae06720a08a7a22780947eb23bc37e70c9443ac693947d6bc7b.exe
            "C:\Users\Admin\AppData\Local\Temp\621414d6d493aae06720a08a7a22780947eb23bc37e70c9443ac693947d6bc7b.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2392
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2520
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        ecbe6c927ab3cbcf2c2c402d5d597e04

        SHA1

        a2f7e672dcefa78ae5dc1bb78ad36a8120d48a34

        SHA256

        53cf317412fd2381d8ac6c948f6ffcb7a79a5c74334d35df36271fe6cd2bfb57

        SHA512

        88ff2f9724d26736872d4c88a032bee24a11d4cd39b465492d898c746e6a375064dd92e883ece9b24299d36510fa34d9123a0bbfd2c3768f22a6c8e45a09596a

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a1A06.bat
        Filesize

        722B

        MD5

        2dd88456a0f987499d8c540739fd2b8d

        SHA1

        bf82b78f443498252a1eab38a72b00400500e592

        SHA256

        e4ccf617fd5c29f18266539c9d1fcc3e5ad3cd72da45af9c8f294f46c7121593

        SHA512

        e7abea07a9453351627ea9b9ec0cf56a5a3ed46c27dd9067ce0547634d730dce0cee0f16e9a2e600dad72d310b04abf8def999f5573840a8f1f081140c7689d3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\621414d6d493aae06720a08a7a22780947eb23bc37e70c9443ac693947d6bc7b.exe.exe
        Filesize

        380KB

        MD5

        30e05d0608f2c093652daa63b9bdca0d

        SHA1

        292502367acde00a7142f0bd1e6c72ce4c5fda38

        SHA256

        27ed82408b8a50c2f519fdb9ee1b0dae81011dcac329056f35ab95b3c0b3615d

        SHA512

        70932e45554803385ba8319bbc4970418a89a575a5592733d26f9becb71ff23043a3da1c6a82b6a71cc17bf2c6bdc5eea4012dcf6491ac0861d5b05c03dbdae1

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        acbc425191d0ec217d1584403dbde066

        SHA1

        2566fadcc3d541286f3ae42bff1b14350b76647c

        SHA256

        1076bd2f64ea7edbe6e034efe3f6cf8dbabbe6d79b19040687e95c70e4ea8efd

        SHA512

        a5616aa2224f02faa6f18ba965b000b47fb7cff2ca77851f5518168955d4209f6d7a94e31e65b530d19b26cbf4bac12274df77593f23d0587b9e960abf3e3e11

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
        Filesize

        9B

        MD5

        2be02af4dacf3254e321ffba77f0b1c6

        SHA1

        d8349307ec08d45f2db9c9735bde8f13e27a551d

        SHA256

        766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

        SHA512

        57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

        Download Submit

      • memory/1204-32-0x0000000002520000-0x0000000002521000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2240-17-0x00000000005D0000-0x0000000000604000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2240-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2240-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-34-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-47-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-93-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-99-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-977-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-1852-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-41-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-3311-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2504-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download