Overview

overview

7

Static

static

3

58b39b00cd...95.exe

windows7-x64

7

58b39b00cd...95.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    21-04-2024 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58b39b00cd889a34cbdb908a0ced32148f236821bdfc702bcd812e64d97d1d95.exe

  • Size

    66KB

  • MD5

    9531fa8fc6ec3f0a1c5166b9a5e4719e

  • SHA1

    018c6319223e65772bfb440896be963feaf9d444

  • SHA256

    58b39b00cd889a34cbdb908a0ced32148f236821bdfc702bcd812e64d97d1d95

  • SHA512

    2137222f23a799db9fb4c68d98443c70860df214daf29bf32a8325d455956a7f64fc290e420c50549cc2dd56d6e4fd9cc367058d674963ad0184d242aad4e7b7

  • SSDEEP

    768:pZZZZZZZZZZZZZZa16GVRu1yK9fMnJG2V9dHS8HNic1iTEpgSG9TJVQBWZrvW5TL:pA3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1116
      • C:\Users\Admin\AppData\Local\Temp\58b39b00cd889a34cbdb908a0ced32148f236821bdfc702bcd812e64d97d1d95.exe
        "C:\Users\Admin\AppData\Local\Temp\58b39b00cd889a34cbdb908a0ced32148f236821bdfc702bcd812e64d97d1d95.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC6F.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Users\Admin\AppData\Local\Temp\58b39b00cd889a34cbdb908a0ced32148f236821bdfc702bcd812e64d97d1d95.exe
            "C:\Users\Admin\AppData\Local\Temp\58b39b00cd889a34cbdb908a0ced32148f236821bdfc702bcd812e64d97d1d95.exe"
            4⤵
            • Executes dropped EXE
            PID:2632
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        5df7d71f76653d1424f76d2459c0df88

        SHA1

        6bed2cda3aeea77eb61655d5941ce68ac39ecdc3

        SHA256

        a7da72da0d848255881a4d0d4ad14eb95ab8291c75b8869eeb013c543add50d7

        SHA512

        8f0f7c553a96365b55a68e5097c9bbb2c4f1803769c762341ca2f2102d595126b4084047a7db062faa6bf6ebc001e6ee66dfcaa4da67ff18fd6acd06d98ab879

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        6eabc463f8025a7e6e65f38cba22f126

        SHA1

        3e430ee5ec01c5509ed750b88d3473e7990dfe95

        SHA256

        cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

        SHA512

        c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aC6F.bat
        Filesize

        721B

        MD5

        4d141b42ba3d4df2fb024276f96c12aa

        SHA1

        6149b99ccf7ca3f2a99c467ca89cc18adff16218

        SHA256

        2305adad1ff5ddc1280baa7f469098e108a693e1b75d1a3e1582376833c77718

        SHA512

        40fdcec68a753ad7acc3da87c2e0e7ee7974cc03a798b7ba40c5ab66ff1ddd552e62ed12159c55a14e2a8c8b4f3c46b3b02d76e3e950c336bf9f4a37036362b3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\58b39b00cd889a34cbdb908a0ced32148f236821bdfc702bcd812e64d97d1d95.exe.exe
        Filesize

        36KB

        MD5

        9f498971cbe636662f3d210747d619e1

        SHA1

        44b8e2732fa1e2f204fc70eaa1cb406616250085

        SHA256

        8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

        SHA512

        b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        dda4e3f1662f8124f797c06dd6a1e115

        SHA1

        ac8eb50097a78c25d97a7c217ba8528fdaa9e631

        SHA256

        7c7ac21a3134e5c7a096fce44496008c984795d8cac6d19314fbc2fa1c66a7f7

        SHA512

        456bda7c7095eb82016a5ecf55ba43f5024287a0a27aa5b373f15f69e2a0238cdfeafb02e2d48a394cd9a2be927eda6b10ee0aacc87861a93a363a45ecb258dc

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
        Filesize

        9B

        MD5

        8c34dc99037d2222f90612d7a5e52499

        SHA1

        fda1121fbbb4ed65e2bbf0b7d7c9847d6f47fe7c

        SHA256

        5b74167b62086b62f2f1540c9601d4c70c005e86ff72d5d514f87c82df3cb468

        SHA512

        999a3f71583131a044764079e1d6c447190f81bdb3b32d3f423f97ea6f5a4cf431ddf0b5ad61a2f72e9aa280a859555c131c9b89a4713cdaf955a7f90b6258cf

        Download Submit

      • memory/1116-30-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2228-16-0x00000000002D0000-0x0000000000306000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2228-15-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2228-21-0x00000000002D0000-0x0000000000306000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2228-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-45-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-24-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-773-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-1850-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-2416-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-3310-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2984-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download