Overview

overview

7

Static

static

3

aea0196797...48.exe

windows7-x64

7

aea0196797...48.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aea01967971a6e1ae19195580b85c80660ff932081a278fb46ac8d17669fbb48.exe

  • Size

    711KB

  • MD5

    54613e5f70d1130b2b4c699fac92baf8

  • SHA1

    25df80dfcb80166ad9b3a3f6e72748f9fead8c07

  • SHA256

    aea01967971a6e1ae19195580b85c80660ff932081a278fb46ac8d17669fbb48

  • SHA512

    1ddbb007c6c4874e3cf6b0c045548157961345bfa9869704b4830e061d9bc46d0e985a12dac48d866bc2377c25a0a10b551811284618cf8328bceda4572f5836

  • SSDEEP

    12288:ZpKfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:ZpGLOS2opPIXV

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\aea01967971a6e1ae19195580b85c80660ff932081a278fb46ac8d17669fbb48.exe
      "C:\Users\Admin\AppData\Local\Temp\aea01967971a6e1ae19195580b85c80660ff932081a278fb46ac8d17669fbb48.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1101.bat
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Users\Admin\AppData\Local\Temp\aea01967971a6e1ae19195580b85c80660ff932081a278fb46ac8d17669fbb48.exe
          "C:\Users\Admin\AppData\Local\Temp\aea01967971a6e1ae19195580b85c80660ff932081a278fb46ac8d17669fbb48.exe"
          4⤵
          • Executes dropped EXE
          PID:2716
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            5⤵
              PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      252KB

      MD5

      91a0234603ee2ffe672133195c4abc05

      SHA1

      16279814879065da9aa319c5974781a84f43e39c

      SHA256

      d22210301ccaa7d2755a1406c535b73ef1a8c1e13366928170d9b7673d727be3

      SHA512

      1d63d708d0b532a32031730cb8cc82f66d9025d2d6f2592b9b8591a693e3e3bd3054d2774005aeff11baa9ea7ff16ab1a7e5cf36cc80ea5d445e66f6dc7df2c4

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      472KB

      MD5

      88eb1bca8c399bc3f46e99cdde2f047e

      SHA1

      55fafbceb011e1af2edced978686a90971bd95f2

      SHA256

      42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

      SHA512

      149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a1101.bat
      Filesize

      722B

      MD5

      fe4e4adbbc39ff1aab19efca739a174a

      SHA1

      8d5121d31f46eab896f67796b23be1f604a304a1

      SHA256

      15409e8762e4516639b5103c6589fc4dad7bb3fd9fc7ca86ce02943d13d522b4

      SHA512

      3b3652d78bad6be651fdd55210d43be65487a3e68d4b7ff8c11c3b8597191c67a9c004cfafb92ae2230ee93d57be07b5c6bf5fa5ad7c936ce8e74cdc366af51e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aea01967971a6e1ae19195580b85c80660ff932081a278fb46ac8d17669fbb48.exe.exe
      Filesize

      684KB

      MD5

      50f289df0c19484e970849aac4e6f977

      SHA1

      3dc77c8830836ab844975eb002149b66da2e10be

      SHA256

      b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

      SHA512

      877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

      Download Submit

    • C:\Windows\rundl132.exe
      Filesize

      27KB

      MD5

      18dc1033ae8902d1d05f7bb5651753be

      SHA1

      44d68d222bf905f98a2a48ba964010826c80cd59

      SHA256

      a3f31e286d1c18d1e958f66d909c32c5f35a3b785ba9827774568b04f843f199

      SHA512

      e7de2a47c6076f6d6de889dfe0937ac3b9e948c85f9e10a27ba2bd14b943e713c7631bd8b0d3f610418a154977cddd2acabad152b1c09b374806ce1e5e61f7eb

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
      Filesize

      9B

      MD5

      27729a3995958245e2d6799df42e26e7

      SHA1

      dfe386f53277c8387b50122f3fda9bc2467815ba

      SHA256

      9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

      SHA512

      ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

      Download Submit

    • memory/1156-31-0x0000000003D50000-0x0000000003D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2480-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2480-16-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2480-20-0x0000000000230000-0x0000000000265000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-40-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-46-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-92-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-98-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-1086-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-1851-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-33-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-3294-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-3311-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2544-23-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download