Overview

overview

7

Static

static

3

3b3bfba83e...94.exe

windows7-x64

7

3b3bfba83e...94.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    159s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b3bfba83ec4d0950069e426a5887fcb5bd8e8b9a77f7a9e98de80b9aa993d94.exe

  • Size

    88KB

  • MD5

    95340c4fc044c3e62015ee1b605ac039

  • SHA1

    3caedc850ef52af196c8c713fd1b2957794f8acd

  • SHA256

    3b3bfba83ec4d0950069e426a5887fcb5bd8e8b9a77f7a9e98de80b9aa993d94

  • SHA512

    b0861f6e99aca401b86ee77e7191f623b97ce422514decf1589fa1cf5405c2bf02cd53f9aa8625ee0752ef6185a7dd8abcfc835aea5edc528a290c8a310021aa

  • SSDEEP

    1536:pC3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:pCkuJVL8LK4ddJMY86ipmns6S

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\3b3bfba83ec4d0950069e426a5887fcb5bd8e8b9a77f7a9e98de80b9aa993d94.exe
        "C:\Users\Admin\AppData\Local\Temp\3b3bfba83ec4d0950069e426a5887fcb5bd8e8b9a77f7a9e98de80b9aa993d94.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a99B0.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Users\Admin\AppData\Local\Temp\3b3bfba83ec4d0950069e426a5887fcb5bd8e8b9a77f7a9e98de80b9aa993d94.exe
            "C:\Users\Admin\AppData\Local\Temp\3b3bfba83ec4d0950069e426a5887fcb5bd8e8b9a77f7a9e98de80b9aa993d94.exe"
            4⤵
            • Executes dropped EXE
            PID:1928
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        c420c4af538b11e5654382b1b95c1f74

        SHA1

        b9c6a3a3f463948c25e162214d064039eb394b1b

        SHA256

        1605b0cd978c5eea742ac6c780774a1c921791a0b8efb5a4df0ef8243db956ce

        SHA512

        094687162f991b97ebc4a6b9f9bf0de05631ddde6fbec11595948c7c3ebdd1dd4e3d34bddd470beee8614d6c9533c394b4c700664ce0c41ee52df6e192bc1526

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a99B0.bat
        Filesize

        722B

        MD5

        83929e1da9f713171e0c92391d0c4893

        SHA1

        1841f0fd5a09f7acce1c1168bdb172e1e20c32f6

        SHA256

        0c13d8c9b310ad0fe6f2d440e96074f93bb2514a9a43d043e2fbc510c7ffd71a

        SHA512

        ae97db4723de21b6b1b98897bcb90e949da43375b7075219cb50166c35361a8112b08f543ab0dec41d6aedccc46e9eb30ce2d0476981d084a45df4ce93d75e68

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3b3bfba83ec4d0950069e426a5887fcb5bd8e8b9a77f7a9e98de80b9aa993d94.exe.exe
        Filesize

        59KB

        MD5

        dfc18f7068913dde25742b856788d7ca

        SHA1

        cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

        SHA256

        ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

        SHA512

        d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        130284fd5a2812ba4fc96189d15de010

        SHA1

        1c255ac3be9f5f225f28bcb442cdf2227e6fe3f2

        SHA256

        367dfe4f3c4bf18252b62f54542ac6212d6785ffee9afef38dae660f9583fc4c

        SHA512

        e7c6c48e18481dec95c69319a1ccb9ca6aba0b6ec9eb137293844c5f60160e8b4a7bde69c027da14ce41acf489665446b19d0f0e52d315b58acb156891455f0e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/1456-29-0x0000000002240000-0x0000000002241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2516-12-0x0000000000220000-0x0000000000256000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2516-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2516-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-31-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-38-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-44-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-90-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-96-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-202-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-1849-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-1853-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2920-3310-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download