Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 06:16

General

  • Target

    8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe

  • Size

    5.7MB

  • MD5

    432feea9784b2aa4cdb19ce766fedce1

  • SHA1

    1296c1c1d0efc7ac82b578b979bda8d2c1dfd8bf

  • SHA256

    8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916

  • SHA512

    38ab79dc95da546b7794728b8cf35d07043af26f78c028112d420753bf0ad5fbebca43d2a491ff79ce6f8e1941f1f788955285b36fd9acfc3e8b4ec8be42df42

  • SSDEEP

    49152:qPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBm:MKUgTH2M2m9UMpu1QfLczqssnKSh

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe
        "C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE34.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          PID:632
          • C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe
            "C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe"
            4⤵
            • Executes dropped EXE
            PID:2636
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2540
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2668

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        252KB

        MD5

        91a0234603ee2ffe672133195c4abc05

        SHA1

        16279814879065da9aa319c5974781a84f43e39c

        SHA256

        d22210301ccaa7d2755a1406c535b73ef1a8c1e13366928170d9b7673d727be3

        SHA512

        1d63d708d0b532a32031730cb8cc82f66d9025d2d6f2592b9b8591a693e3e3bd3054d2774005aeff11baa9ea7ff16ab1a7e5cf36cc80ea5d445e66f6dc7df2c4

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

      • C:\Users\Admin\AppData\Local\Temp\$$aE34.bat

        Filesize

        721B

        MD5

        ed1d89ea94dc8d16c875c74b97e9a996

        SHA1

        03990f70cb7ed33ffefc389fe3a08cc507629632

        SHA256

        589b7b11b5c940d6d9d2762fbad6bbb1eb809713864f2a3176967f54ba3c94f8

        SHA512

        b7be45c63e2a213ff5b2974ba369b5aa551467712ed1d8dd94e4e236466d440b3492ff01408bbed26afd9f0d3577738910fa86d2b6cec36d5979ef5f48af7228

      • C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe.exe

        Filesize

        5.7MB

        MD5

        c596c3539f619ec76f36741933da5bed

        SHA1

        b3243f0ee893528f0ccd71700ca9970def6670b5

        SHA256

        bb9f95d1b280c1ec9ae27cf564bbb1b485e2d721d44b3288a9a43c07517e38de

        SHA512

        e6e9bd571f8a74b0d2f1a88f9c90fbf10a2150cda55cd4ad6f9a37e0c4a957a175ecb8adf17822331e6cb83bac6fec5bdc2fc87fdb5bc2bfa46ad7dac4df31d2

      • C:\Windows\Logo1_.exe

        Filesize

        27KB

        MD5

        18dc1033ae8902d1d05f7bb5651753be

        SHA1

        44d68d222bf905f98a2a48ba964010826c80cd59

        SHA256

        a3f31e286d1c18d1e958f66d909c32c5f35a3b785ba9827774568b04f843f199

        SHA512

        e7de2a47c6076f6d6de889dfe0937ac3b9e948c85f9e10a27ba2bd14b943e713c7631bd8b0d3f610418a154977cddd2acabad152b1c09b374806ce1e5e61f7eb

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

        Filesize

        9B

        MD5

        27729a3995958245e2d6799df42e26e7

        SHA1

        dfe386f53277c8387b50122f3fda9bc2467815ba

        SHA256

        9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

        SHA512

        ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

      • memory/1108-15-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1108-18-0x0000000000230000-0x0000000000265000-memory.dmp

        Filesize

        212KB

      • memory/1108-16-0x0000000000230000-0x0000000000265000-memory.dmp

        Filesize

        212KB

      • memory/1108-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1376-30-0x0000000002960000-0x0000000002961000-memory.dmp

        Filesize

        4KB

      • memory/1940-91-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-45-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-22-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-97-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-669-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-1850-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-2270-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-39-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-3310-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1940-32-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB