Overview

overview

7

Static

static

3

89e2acf380...ab.exe

windows7-x64

7

89e2acf380...ab.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89e2acf38017617c1e9b2fe279bb64bb910ca0f04078770ae348f0806455bfab.exe

  • Size

    565KB

  • MD5

    f1973fc951f97973096fc9f5e2fc56a2

  • SHA1

    b133bd551e3b526016c28c66fbac7a2d922b32ab

  • SHA256

    89e2acf38017617c1e9b2fe279bb64bb910ca0f04078770ae348f0806455bfab

  • SHA512

    da586347fedb8f5b79af0dd32be0d6266100650125c42e103547c2f8119d2697225013528e4644868106e9b130804c58110a80a248d09afe1a6b74200c26309d

  • SSDEEP

    12288:D8Gj11/IH1C2kp64AXhQJl2Nw+1ubLkgJ:D8GR1/gfkp64ARaT+IbLkgJ

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\89e2acf38017617c1e9b2fe279bb64bb910ca0f04078770ae348f0806455bfab.exe
        "C:\Users\Admin\AppData\Local\Temp\89e2acf38017617c1e9b2fe279bb64bb910ca0f04078770ae348f0806455bfab.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a65E4.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:320
          • C:\Users\Admin\AppData\Local\Temp\89e2acf38017617c1e9b2fe279bb64bb910ca0f04078770ae348f0806455bfab.exe
            "C:\Users\Admin\AppData\Local\Temp\89e2acf38017617c1e9b2fe279bb64bb910ca0f04078770ae348f0806455bfab.exe"
            4⤵
            • Executes dropped EXE
            PID:2124
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3000

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        bda8eee3b345c1f21b74cbd88cd64f64

        SHA1

        45bf87c341cc5801adb6be803f4c9b8fede6be01

        SHA256

        2dbcc6a6e407885c514d167b5853ac2bde21a05edeb0a1d44fffd9883ff415c3

        SHA512

        55064667b6a153874ecd5e32711acc38bb76466be4fa5a2d77907c976065ab06e8313a5accbe84aa7026a641b7b2bbbc784f1a67d7bc351941b28c8092692f2a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a65E4.bat
        Filesize

        722B

        MD5

        2ece1da092d3dd06898a2dba876748a7

        SHA1

        5f150671beb15ece5a19c2910136fb9185d0a883

        SHA256

        7d9d501cf933fccc1e6da89b036a4484ba9df98467b0c45d9ea94b1b53cd9f43

        SHA512

        1b908013dd7cce52a818dc2571e3d61d49cc0d207eb86878f2a9315adff26d6c83cb6be765c19c37aa6b438bcbd3be77af3971191e10936e20e80028ecf17e56

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\89e2acf38017617c1e9b2fe279bb64bb910ca0f04078770ae348f0806455bfab.exe.exe
        Filesize

        536KB

        MD5

        51f33fda33fec902d4a56ba6944c5ccb

        SHA1

        66b1397db173a38067769d95642ed80584a60834

        SHA256

        bef23bbb2608c9b994a1680e7b643117c60290f0fdd2bd96caf0cfcf82e37ed5

        SHA512

        2ae81bcfa74622f1eb91b013ea8094ea2309dc9508fc0e28bc95024ff6bb3560a4baf566b90206a1fb4891ad70f0eedb52dfbe10ffa8dbd5d2ea0c0d0c1469c1

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        c2714eeb0a075a663048727a1626345e

        SHA1

        78ac209416bd20b0c01049ffa07529d6eda0858b

        SHA256

        2d9faa2c88af94ed65a0c8dd8657af7f0c0fc3073c037094a36df8dc5b956f9d

        SHA512

        c4204f2a53da4f82270f92f1a6852ac32cca8b4ee8f4953639d4bddacaa7919734fc775bcdd07a8a0b518e4ac5cd9c9979edb2e889e61614782e7d9fef04f19e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/1272-30-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2312-21-0x0000000000220000-0x0000000000256000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2312-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2312-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2312-12-0x0000000000220000-0x0000000000256000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-22-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-45-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-1850-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-2221-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-2464-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download