Overview

overview

7

Static

static

3

6ba3bf0cd9...90.exe

windows7-x64

7

6ba3bf0cd9...90.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23/04/2024, 03:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe

  • Size

    35KB

  • MD5

    071af383c1f1c766397df0706a29d96f

  • SHA1

    66a52e667d061ebf5c3be28a88028baedef19689

  • SHA256

    6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90

  • SHA512

    028ba8ea748f9acc53d947dc1c580dd383b5d5b1fbf60a85ac2c4776c497541094c28e10d47e0045f4fa4ffe86d6ce1c4965a2bcc5c737d2ca510e85cc953eab

  • SSDEEP

    768:K1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLLthSDKp:sfgLdQAQfcfymN/jSm

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe
        "C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11CC.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1300
          • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe
            "C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe"
            4⤵
            • Executes dropped EXE
            PID:2144
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        b93348abc6c61129b97eecbdcf3ed020

        SHA1

        ea8d2068526e45b72c4a34cb7e309131f28342b2

        SHA256

        e60bcc0acc3dd0f3d8afd33689673c95b89b934d7a1473576ea9383c1f005224

        SHA512

        1d62ce9fe61a8f5bfa42d25d8a7d645634bffbe9d693f8326276665a0c63ec254eb64b3ebc69b81af8c92291c2f0bd9d5c063591a5fbaa49845d14295f31cca6

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a11CC.bat
        Filesize

        722B

        MD5

        5b91e02777946bf6e96efd0bad645a80

        SHA1

        74ec9106309926ad88543a0d774fe12478bb7e6e

        SHA256

        923eceeadfd96a30efe0f02c82e42b66fc3a65bb06a44feb71553d9f76d0f01d

        SHA512

        3588187fa8b469e7bef1277b00eba00f77d7e83e4e51ca9cf8d1c65dd7b0c24ac14d54ccae364d97c4474eeb721dac25e21d8bbff9252394f628c3a7325cc547

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe.exe
        Filesize

        9KB

        MD5

        4b2ea001d25b0b0f4b6290b529e4a1b4

        SHA1

        243231fe70e96c11b23f3ca2243ee585ce242171

        SHA256

        e98833799281ebc8ec332c79fab96c7b77d3e973b5cb1a4a572f184979a3f682

        SHA512

        5622025b3bf181f003ec52371e7aebf0cd467c01555b8bce5e94d83d6bd4d8aff500655b963bb592e54032e086c9840716153bb44fb4be675c9436e114eba74b

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        abea7d94fba32bba6c1988a9a88d9e8b

        SHA1

        03ac57dcd4e36268a47a0c9fc1fe85d019945e0f

        SHA256

        187686d6eb8c7e66585c6c05a9423d8864a5bda8075e8f62c5b2219337c9b225

        SHA512

        c096cd538b82ca2472ce6358f2ee4f05f938944e2435bcdcba734779fdc17e34efc5221d894ec0ee84df8cc4b96f57532589fdb0cb85bfee69e62a29ef05ebfc

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
        Filesize

        9B

        MD5

        5e45e0c42537212b4bfef35112ec91ba

        SHA1

        10c59c091fd35facc82bbc96938f118ce5a60546

        SHA256

        9f6b7a83161db36757e96dc40936aec1e5a9a41f9fca089f9cf5a4d695dd5ed5

        SHA512

        ee964e08687daa53fdc8e063402791acb104bd59f5d0f8a6d11d3e889db476315641c38032ade4177cd794b060f9fc4e6fd161989e452aae828c875c747e4bfb

        Download Submit

      • memory/1212-30-0x00000000029E0000-0x00000000029E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2416-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2416-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2416-12-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-91-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-97-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-772-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-1850-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-2458-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-3310-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.