Overview

overview

7

Static

static

3

4d17af68cf...1b.exe

windows7-x64

7

4d17af68cf...1b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    21-04-2024 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d17af68cf0dafefd11e545b39cdf24d6cbcc65a22e35249ad98bfcff1a1521b.exe

  • Size

    983KB

  • MD5

    ed7c574db8edce1836463ca91c5d9296

  • SHA1

    f97a15dd3175a6ed0e6be0ef0e848fa65c811991

  • SHA256

    4d17af68cf0dafefd11e545b39cdf24d6cbcc65a22e35249ad98bfcff1a1521b

  • SHA512

    283715ffeab279f33c7450f5d7033c832edaffa1cb0fb78d119f01b247b22c75a3e8f2a03184a0f842325a637dedbc9525ea6d735a50bcf5bbc21deeb1bd893d

  • SSDEEP

    24576:/7mYwSAXEHQ5NNYbD1yobQNwgDk3IQknvkW2D9ZZm8ykXouUT/:/7dwSbIDkHknvXKZZmHm7UT/

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\4d17af68cf0dafefd11e545b39cdf24d6cbcc65a22e35249ad98bfcff1a1521b.exe
        "C:\Users\Admin\AppData\Local\Temp\4d17af68cf0dafefd11e545b39cdf24d6cbcc65a22e35249ad98bfcff1a1521b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1772
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB56.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Users\Admin\AppData\Local\Temp\4d17af68cf0dafefd11e545b39cdf24d6cbcc65a22e35249ad98bfcff1a1521b.exe
            "C:\Users\Admin\AppData\Local\Temp\4d17af68cf0dafefd11e545b39cdf24d6cbcc65a22e35249ad98bfcff1a1521b.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2560
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3028

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        93682ae617e5b6cca0eed1522c68a8be

        SHA1

        c2e2a5a852ddffd60d93922c25d6c36152c01a11

        SHA256

        58440fceb04e732a78fe83ce9ed85f7bc0b1db862430d3afaa3c03d0500b94b8

        SHA512

        58c6421e32999513946aff532cb697374362f03e84231b0c3bda9539e9141308f4f92b44141ab1b0a6108efe4e26712ed1ce223218aa6dac2e114ef67b0c6117

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aB56.bat
        Filesize

        721B

        MD5

        64b891f5f81680332b2032d3ce5e9d49

        SHA1

        2fbc634539b05b6d470e837ab3c50c1c2487603c

        SHA256

        f32c700020e6ee0c110e96355a216ad334372c7fa62b1c55eca6aefa7a24ba9a

        SHA512

        54e9d22ad54afee758ef0b1f2dcf8097dc12d2e8d9e28778672c815b59522b98be8e8792856a11a45d88b8308e2d3c0e0c6beae49ab6fcdf4e4a8c6bebae3a22

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4d17af68cf0dafefd11e545b39cdf24d6cbcc65a22e35249ad98bfcff1a1521b.exe.exe
        Filesize

        956KB

        MD5

        8cd1cf8c0042a74bfd1ebf48e211f289

        SHA1

        683eb1fe273c9c12daf65ea8d6137b069d59bd3f

        SHA256

        63b263337cd30245136313a0a4fed1b1350c2584d4a9952b511bfe977b5eb5f8

        SHA512

        405886b850fda077ec5d474edc81e2209ec5a26d02484c014e6ac5bfdd075c2710334d6d50a5d56a3156bea5825ee05f268487b217bd891acd94fd90c0ae17e3

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        2f809e1bc24e065a06eb9cc885f52666

        SHA1

        5a3f1009a867e84081c8e510a95a6aa67d0ea4f7

        SHA256

        449b2bf4a84e027375af2a6bbe59a0b18c07edfc9aa96c6ff52adfc195fcd739

        SHA512

        25338b9c6561fce3574871b08ec6f5705ca78b74e22828efaed88fb51c2c3a92d6afcd96eabf273ab19678cde13af96ad6db22532e5750e4da6202adb314435c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
        Filesize

        9B

        MD5

        8c34dc99037d2222f90612d7a5e52499

        SHA1

        fda1121fbbb4ed65e2bbf0b7d7c9847d6f47fe7c

        SHA256

        5b74167b62086b62f2f1540c9601d4c70c005e86ff72d5d514f87c82df3cb468

        SHA512

        999a3f71583131a044764079e1d6c447190f81bdb3b32d3f423f97ea6f5a4cf431ddf0b5ad61a2f72e9aa280a859555c131c9b89a4713cdaf955a7f90b6258cf

        Download Submit

      • memory/1204-29-0x0000000002E00000-0x0000000002E01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1772-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1772-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1772-16-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-889-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-2770-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2660-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download