Overview

overview

7

Static

static

3

9a2f09a935...a9.exe

windows7-x64

7

9a2f09a935...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a2f09a935c8a12f9c55f4a6dc0b91774e6143a0f8cebb0e2306c3fd60043ea9.exe

  • Size

    227KB

  • MD5

    408abf04cce71b3fce00e60d7c98d717

  • SHA1

    21627b1fb0e31ee0d28512ab38caa5ce09a2bb3a

  • SHA256

    9a2f09a935c8a12f9c55f4a6dc0b91774e6143a0f8cebb0e2306c3fd60043ea9

  • SHA512

    535e8afd152736249f866e3900628b5ed03b826ec3345dffa18a66b9a5c3686ecc4c0c09c656dd4e28ed53826efc5a86efa46416287c44b94e8cab8b61e5c776

  • SSDEEP

    3072:pikuJVLUdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5n:JuJWdeKzC/leySe8AIqpoHbnDns1ND9m

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\9a2f09a935c8a12f9c55f4a6dc0b91774e6143a0f8cebb0e2306c3fd60043ea9.exe
        "C:\Users\Admin\AppData\Local\Temp\9a2f09a935c8a12f9c55f4a6dc0b91774e6143a0f8cebb0e2306c3fd60043ea9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a122A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Users\Admin\AppData\Local\Temp\9a2f09a935c8a12f9c55f4a6dc0b91774e6143a0f8cebb0e2306c3fd60043ea9.exe
            "C:\Users\Admin\AppData\Local\Temp\9a2f09a935c8a12f9c55f4a6dc0b91774e6143a0f8cebb0e2306c3fd60043ea9.exe"
            4⤵
            • Executes dropped EXE
            PID:2040
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2112
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        2be68344c9b75fc6f528ff990fd8819a

        SHA1

        3cc85b2769ff749073bc4caf6d8dc8dd9ca772a5

        SHA256

        9025619ec1492c542300e58dfab2885f5c6ed7e24c7d1505914f2886ea62619c

        SHA512

        6e91b221db37f9eb36638d805b564304fb1c381504026a73fcc809ceda38517691a89d715e07adf2c0e7613d8563e1fd38a6bb3a18864d966c48df6628da5aff

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        db561a5a0ca702db76921a7d2dc14d42

        SHA1

        4dcfe5e6439ee9628f6c43e9bbfbfa297f350576

        SHA256

        8475d4035b379da9d6137570957d939e2e4a1a37be6ac2b373a217643b97422f

        SHA512

        004d16a571fc35cf7ee9271411ab1cc72f2f799649ddec53f52297d674eaf6f59a3eed0dc2fb01143f30187ba8a23473ed41fd3e4b0a9434fe52793f085d59d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a122A.bat
        Filesize

        722B

        MD5

        b2fc76d46960b6914f026bbc19ff2448

        SHA1

        8ddd90c342e2442460a5cde20c91240da2161a12

        SHA256

        1f30df3d2fe5829e4d17780ac69949135ae0680bf6183f03f19acd98e0076a89

        SHA512

        3996c7b42415073b58c6dc691d83361f1d99041ed2453629a3a2a4a40964f2baa15a168ad60d40cf2645fd800271f669e17fa421cf1a218821f2ffee176580f1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9a2f09a935c8a12f9c55f4a6dc0b91774e6143a0f8cebb0e2306c3fd60043ea9.exe.exe
        Filesize

        198KB

        MD5

        e133c2d85cff4edd7fe8e8f0f8be6cdb

        SHA1

        b8269209ebb6fe44bc50dab35f97b0ae244701b4

        SHA256

        6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

        SHA512

        701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        46113c3ede06da0a68aaec2dc1e2a1c5

        SHA1

        54615f3768d5d6352292496b01fced21556f4761

        SHA256

        76affd765412e9894dc4bb5379c64fcafe5d8dc1afd22c953fd4bb3919a6f62d

        SHA512

        091fd4fada6e424937107fb8244d7e9b261370b32db0cb2f26a62348576fdbb95513670c05007938d64514970584dfffe43dd4aeee8056b66eca3376e192b4c1

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/1224-29-0x00000000025A0000-0x00000000025A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2016-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2016-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2016-12-0x0000000000440000-0x0000000000476000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-38-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-44-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-90-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-96-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-749-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-1849-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-31-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-2413-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-3309-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2112-21-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download