Overview

overview

7

Static

static

3

c3a2836825...27.exe

windows7-x64

7

c3a2836825...27.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe

  • Size

    225KB

  • MD5

    31e3c783b118d2bb339539328407841b

  • SHA1

    d4c169061171f25f6b0085a71bf89f31db3b688e

  • SHA256

    c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27

  • SHA512

    19ff0fe3e7f0112d8e77982e36fa879eec013ceb3468a43ec1010edccf7d01fa0d26fbcf3653ec8e3cff3dbf4588c0798f46872048f9b8ada1182e3f5f09bbd7

  • SSDEEP

    3072:PkF3pkdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5yGP:cFpkdeKzC/leySe8AIqpoHbnDns1ND9m

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe
        "C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8A74.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:940
          • C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe
            "C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe"
            4⤵
            • Executes dropped EXE
            PID:2560
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2552

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a8A74.bat
        Filesize

        722B

        MD5

        e27b4925ae2c300cf767b1673f5402d5

        SHA1

        5fe403c17bb155e7dea01f1a363339cbdd47b217

        SHA256

        8e2aa050d6f427a14a8502d81028c83f83773050c9585903984148bd9d7de6c5

        SHA512

        7e91c14720c6e862cf7dd810e165dbc0f1074bfc8061cd90e51b18257b4cffe90bc2fee506e6f5bb94f7b5c08f39cf731fb4f3fecb41ed99ba8e01b445e9ed75

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c3a2836825a73f58036ed7aab5f53860ed1670b6135358672b7bfc8a47946d27.exe.exe
        Filesize

        198KB

        MD5

        e133c2d85cff4edd7fe8e8f0f8be6cdb

        SHA1

        b8269209ebb6fe44bc50dab35f97b0ae244701b4

        SHA256

        6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

        SHA512

        701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        27KB

        MD5

        f271a5c31f4555375a10ed8645deb2a4

        SHA1

        36727cdfd2f24650bb2cfcb73da536df0c02de07

        SHA256

        182366e152470e5121fbf62cf437b30765914785831160c7d42e580b4b8e0764

        SHA512

        332b4a02e592195b164bbff884fff650ba6df2903e04a0251dad569f072f6fd6847fbba417cdbe80a0f968421f334f53600ecf26de993193c1e7c56cacdb1112

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
        Filesize

        9B

        MD5

        5e45e0c42537212b4bfef35112ec91ba

        SHA1

        10c59c091fd35facc82bbc96938f118ce5a60546

        SHA256

        9f6b7a83161db36757e96dc40936aec1e5a9a41f9fca089f9cf5a4d695dd5ed5

        SHA512

        ee964e08687daa53fdc8e063402791acb104bd59f5d0f8a6d11d3e889db476315641c38032ade4177cd794b060f9fc4e6fd161989e452aae828c875c747e4bfb

        Download Submit

      • memory/1200-29-0x0000000002B10000-0x0000000002B11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2776-41-0x0000000000330000-0x0000000000365000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2776-15-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2776-20-0x0000000000330000-0x0000000000365000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2776-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-33-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-40-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-47-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-93-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-99-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-378-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-1852-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-3312-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2932-21-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download