Overview

overview

7

Static

static

3

3691cc4258...28.exe

windows7-x64

7

3691cc4258...28.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3691cc42581364fd58028cce328b3a95e83c20d6225678604be3863f3fb30328.exe

  • Size

    621KB

  • MD5

    0d8e96bfddef5b2245fdbed1c653e805

  • SHA1

    8bfc2d377fccb9773e3cd58a6305b372dab42cf4

  • SHA256

    3691cc42581364fd58028cce328b3a95e83c20d6225678604be3863f3fb30328

  • SHA512

    d61db6b35bfd7431eb68d221c5c16027b9fd09d10d93b72f31b36c76025588c3684d6beaeea0002321e57d249d8fda3f250ebf7d16b80d7a60d88fb5522c26a3

  • SSDEEP

    12288:D7+Fp/PosBegQm9kJZjxnIG4ZQjH0ejJsbk4usOuF2yHuwd:D7wdPo5mmZVFWksl8Xg

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\3691cc42581364fd58028cce328b3a95e83c20d6225678604be3863f3fb30328.exe
        "C:\Users\Admin\AppData\Local\Temp\3691cc42581364fd58028cce328b3a95e83c20d6225678604be3863f3fb30328.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5AFC.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Users\Admin\AppData\Local\Temp\3691cc42581364fd58028cce328b3a95e83c20d6225678604be3863f3fb30328.exe
            "C:\Users\Admin\AppData\Local\Temp\3691cc42581364fd58028cce328b3a95e83c20d6225678604be3863f3fb30328.exe"
            4⤵
            • Executes dropped EXE
            PID:2740
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2232

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        6712f70a805d41de3b97fa9aa090de49

        SHA1

        27ac4365f69e50329a6327c8b0a227f252c10018

        SHA256

        7d18eaefb75d42d99306538038d93fd002678b87709efae10ee85bdd1befae3c

        SHA512

        1835b2fdbc1064a1ba086412eebb9d9727da67ae71bf3c73a048b53edee7aa627d4fd0f932720d6357dade9704840bc33c026ecf95e5ae53992fb2f4f973ad26

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a5AFC.bat
        Filesize

        722B

        MD5

        4a8168d2c34bd1a2a7f9b404c63e7f7b

        SHA1

        d13819345702ae3ee64cb019a5f857918e14a8aa

        SHA256

        6e97ad96ad8bcce448e823ee0f9c7aaa6761047446241c79dfb8d7c08630b8ab

        SHA512

        ca9d8ff624246076fe3922521c51b9adfbe586d7acdc0f1e35f00857334883130845a06fbb6477891b46a1fdc7a812cb1cb2c4f08cd91e69c02961e0bfdc6695

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3691cc42581364fd58028cce328b3a95e83c20d6225678604be3863f3fb30328.exe.exe
        Filesize

        595KB

        MD5

        35a4ad489243e3a41cc0e41cdbd095b0

        SHA1

        979593ac9e6d6d19a0efbe2a5315d87bad1c1301

        SHA256

        36581d4fd6d83f492cac6fdf1aae837a3e5719814de61bab5536717f07d2bc23

        SHA512

        4e6b7b98540f8d92e4a8deff7c76c3eeeba7dbff3a24a1df7853548c9fea3521e83eb161b9112b18b26575e8ac03bda982da110e0939fa48abaf7c5a7a876fab

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        69d997f03780a8859aa3c4cbbfeffe22

        SHA1

        5413181661ca2fe7b8063f42a2fbe4f63ccc741e

        SHA256

        8347ef9bac900f69a3a9eaecf994853f0e80eb5c4bb2b1dab645dd6093a49ef8

        SHA512

        4eac6746dcd137fa91d096093e5248b11c530c6ad1125136c862f089e89ee65eefe89a0d5ffba3cf20e914ea05c1b8999dadf4a07ba9a35ffd48c52892051fd2

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\_desktop.ini
        Filesize

        9B

        MD5

        2be02af4dacf3254e321ffba77f0b1c6

        SHA1

        d8349307ec08d45f2db9c9735bde8f13e27a551d

        SHA256

        766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

        SHA512

        57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

        Download Submit

      • memory/1280-30-0x0000000002A90000-0x0000000002A91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1880-41-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1880-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1880-21-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1880-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1880-16-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-47-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-93-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-99-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-261-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-1852-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-40-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-3312-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2572-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download