Overview

overview

7

Static

static

3

58ae775e94...62.exe

windows7-x64

7

58ae775e94...62.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58ae775e94c2776524eb9a702233e18d5362b03dcb1f2c51b01008ebdfd16d62.exe

  • Size

    2.0MB

  • MD5

    9a9c5b43a51e936989d91f14f4a2ff7c

  • SHA1

    cb6b4fccdeaf1d5fd5f7197a0e801cf286f6188e

  • SHA256

    58ae775e94c2776524eb9a702233e18d5362b03dcb1f2c51b01008ebdfd16d62

  • SHA512

    1c6b0fc87530e5f22d6878c30c624107d239c872ca9dfd54edfad7d18992b56f0fcf12bccdf397344b684dfb67909f5dd83ddc1cd3827be5e0f4c341c89fb004

  • SSDEEP

    49152:4ODO2RBU5kCit5QqJ3Th42yT+hn010gdN7gIrP7CtEiuw:4O62RBU5Bit5B3T2GnIqZb

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\58ae775e94c2776524eb9a702233e18d5362b03dcb1f2c51b01008ebdfd16d62.exe
        "C:\Users\Admin\AppData\Local\Temp\58ae775e94c2776524eb9a702233e18d5362b03dcb1f2c51b01008ebdfd16d62.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1297.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Users\Admin\AppData\Local\Temp\58ae775e94c2776524eb9a702233e18d5362b03dcb1f2c51b01008ebdfd16d62.exe
            "C:\Users\Admin\AppData\Local\Temp\58ae775e94c2776524eb9a702233e18d5362b03dcb1f2c51b01008ebdfd16d62.exe"
            4⤵
            • Executes dropped EXE
            PID:2712
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2688

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        f27ef237a095affc876cb4b4dfdbf442

        SHA1

        4d24271110a670241cbb1d8d95f0742577633445

        SHA256

        83f9624e2b9ad380e376e4818a5fa81690450a01d06e0e2ad68a742268deb0f8

        SHA512

        fdf45b20af3eacb51d55e13f4a7428d7fa9e52c019d915299f8d9859ffdde9f3a637239213c8f36b537698e7f3020cb9cce1c3e0f7f452d9002670989ed041cb

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        429fb3aac1d07c0cd8c5a4c20c7c9660

        SHA1

        74e91983300cf65cc7c4213e0cd713f63bca551c

        SHA256

        0b250ae1b76b37a02003f0b7ac2d2b428e1df177503693060003a74c3551ca2d

        SHA512

        e384f604304e72b1d19819c53702c109953bf29538ab983aaeb5611dc171e5ccdf521889cd4aeb4f3f53e028e8366e5acf9f5de96612b1d009511d45dbc5a55b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a1297.bat
        Filesize

        722B

        MD5

        2ea000ebe5ec1a485b47dce354bac3c4

        SHA1

        b567377797365597ae01a5c5b57b3f6c9abdd278

        SHA256

        c35dbb2ed5279627416c6c66d1a9bd6daf1303d1243a588adc322e79a3275a6d

        SHA512

        eea1e8c5199911cf304e0d3d6e284697e760292b3f53cf869792bc6d74ef181a2165ac9aa6ed88178aae723bfc7b4cb1b1c8face11eae5a094f65f8c8b1a81a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\58ae775e94c2776524eb9a702233e18d5362b03dcb1f2c51b01008ebdfd16d62.exe.exe
        Filesize

        1.9MB

        MD5

        945ff3b0412764180f633a2dcb8a66c0

        SHA1

        84db2e2363cca806f6e2c59dace5d2001e8514cc

        SHA256

        ee43f0adc27d03d42ce23a46a962787950b755062726027438c0731f2efe4f81

        SHA512

        552b75983caff7d029df59447444732bae70cf76ae5d510dbed890f797d3cbff98d22a0c617738c142e57c3c4fcab4c2d7cdb87c1d9598566fd67c0149c7117d

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        6aab1857fddb16f73ee3c6412859538f

        SHA1

        94c7c8ef050ba97735c153ff3c50dcb2ff1984e6

        SHA256

        5425065aa2387fb417dda03f510dee43d51aec1cec445ece37873d75d109037c

        SHA512

        1842cfcb7cc3695acf2ad76fd330b83ba3982e6b284d1f0e15433f2f83fa02387b7a1e8a7919f7797f555c151b35da4611adac33c5b2f18190068df58708e842

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/1404-30-0x0000000002A40000-0x0000000002A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1472-17-0x00000000003B0000-0x00000000003E6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1472-15-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1472-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1472-33-0x00000000003B0000-0x00000000003E6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-21-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-40-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-47-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-92-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-98-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-1616-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-1851-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2384-3310-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2712-28-0x00000000003A0000-0x00000000003A1000-memory.dmp

        Filesize

        4KB

        Download