Overview

overview

7

Static

static

3

9bc6523996...72.exe

windows7-x64

7

9bc6523996...72.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    157s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bc6523996e66453589e1b9a2e25ce77e32f722440e9efeeb2d6dcce91beba72.exe

  • Size

    242KB

  • MD5

    bf0f9de0f764ec04473536f4897851c0

  • SHA1

    c488e58f545a005728b1551e7284c5affc7b565d

  • SHA256

    9bc6523996e66453589e1b9a2e25ce77e32f722440e9efeeb2d6dcce91beba72

  • SHA512

    c1c8c297e2c80449421d98df1bbf7ea4042145b65817802e9b872e60f980671bed0e7577a404f1700848c2c09f710595b172f5ecf3a44f2e2edc08aeabf239e9

  • SSDEEP

    3072:aftffjmNaB4TNcQPaHy4V8y47vRNZ2ix45eN9woY46x6gcf3IUkRxGAiY4x:aVfjmNaBUZPaS4VF4T52iW3ohgoA8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3488
      • C:\Users\Admin\AppData\Local\Temp\9bc6523996e66453589e1b9a2e25ce77e32f722440e9efeeb2d6dcce91beba72.exe
        "C:\Users\Admin\AppData\Local\Temp\9bc6523996e66453589e1b9a2e25ce77e32f722440e9efeeb2d6dcce91beba72.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8C71.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Users\Admin\AppData\Local\Temp\9bc6523996e66453589e1b9a2e25ce77e32f722440e9efeeb2d6dcce91beba72.exe
            "C:\Users\Admin\AppData\Local\Temp\9bc6523996e66453589e1b9a2e25ce77e32f722440e9efeeb2d6dcce91beba72.exe"
            4⤵
            • Executes dropped EXE
            PID:4796
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1368
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2436

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        533ce215a7c274602dc456ca375cef93

        SHA1

        76c502d7c45eca3fd96f6b04eb850e751bc785dd

        SHA256

        d70c9f73bbeed5cbc0df4a4d14bae68789f84d8092281337d2919322b288ce9c

        SHA512

        09d9dee36c48567921de4b7c31c4a822d5f9ed5e0b1cb0330031b320f40b5ba9b15e89dc37d52561094642c0ff16c14d32e81ed5b1dac06150fefbbd6f3365bf

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        e3cafc7557cf7a03b7d8dac8da969d35

        SHA1

        b78ea56fb133598f5cc60176d0d6fafbfde5d966

        SHA256

        edbd4ee1f536fbb25d4920792aed7d91b26b1629fcebad22ca41b69b271595de

        SHA512

        c46a3a9b014a7d158585799590f2c17ce40e0eac938589f0da2b3476f444419925312be8caba3dbde3f7a4b5466062ca319d8f2ab0d10ae6b516ba4fc30b144e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a8C71.bat
        Filesize

        722B

        MD5

        f2ccd0be59ab3ce71d8ac3d32be1645d

        SHA1

        fd1ca80723f474f15561d82e9b0e61f230f92331

        SHA256

        b5f3d901a4e827c6ec5f4a77feb8a54c9c5518cf4a99a0629f8b2863ee0e3df5

        SHA512

        c053799a05b20e3fb4b41f69636831f01a49d416cdc9aa99f28ad28eee1e6cd13c86362c030e8d010a98b9842fe57cbd099602bee4dd3c8c87a0cb52ce098c87

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9bc6523996e66453589e1b9a2e25ce77e32f722440e9efeeb2d6dcce91beba72.exe.exe
        Filesize

        215KB

        MD5

        23a351591308d49bfe2625d302820715

        SHA1

        4787ceafc8492b09f85a1c8abb7e5d0c07f52e96

        SHA256

        7610b2c0bf22563e850e185864d9244eee94c853e6595cd18ac59b6d603af651

        SHA512

        cb266826f6ca3de75968dffebd2a3b480fd3348fa1c0b972851f1008540285cf93158555448446fb8b83f1fbff726221e05a3a18b11da0518ad65283d8eb8247

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        925efa8e6ec043b04fdaf9e6c9f95b9f

        SHA1

        4bb883e016bdeecc3f21b562df6364944b777ae3

        SHA256

        6513ef9968b68f982fb83460b5919e55470f514db71c3831c2ea5c7b3a2721db

        SHA512

        bf4978b5b10932de14d0c64566768708331f89a815f153323173506aecc296236a22d387b5caceba100c72b44e6b870e879f7350f1abce413bb92d54e70b133e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3198953144-1466794930-246379610-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/436-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/436-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/436-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/436-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/436-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/436-1227-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/436-2244-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/436-4794-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2644-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2644-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download