Overview

overview

7

Static

static

3

952d326522...fa.exe

windows7-x64

7

952d326522...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe

  • Size

    1.2MB

  • MD5

    34ebee5b72631999ef9871c4b1c84c1a

  • SHA1

    861646e8d7d5b109ba0db2081c34a2bbc217e702

  • SHA256

    952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa

  • SHA512

    f7f02c03b82e7bc7fbaf0461ca65c874c25a5a8e52acd83b111947f6b6f142c4aac829c0b46fe7ccefe956a7710127636c3e5d69e26686dcc52866b5603b9bb1

  • SSDEEP

    24576:r73CxCOhCN6w0fMuIO0ikei95gbJngYP+B/:r7yx4QApihi9TE+B/

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1392
      • C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe
        "C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a72C0.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe
            "C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            PID:2588
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2572

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        5ee2cdec1926e512b07298828e6a16e9

        SHA1

        9055e19fa36d3819be08f664bd455e09daa96976

        SHA256

        204db46c64897889be1fe55c7dcae811d25ea9329f1bc914f6d125c0c049cd4f

        SHA512

        b4943d5ee694306386fd12d0cfda6b1626a62fb46fb02373ebccdac4228340c8bf1b01938fdc510da0028671241da63aaf31237bccd50b03b59c415508a53ecd

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a72C0.bat
        Filesize

        722B

        MD5

        645bf6e382c9285d2aa5a5d579a19b0d

        SHA1

        d442a106a3537c830d43d1e52819e264e9c6ca1c

        SHA256

        7bfdf02c7a1f7e653e5aef1318eb4118908ccf5f759020ed24dadda2af047af5

        SHA512

        107286bb96b3cb3005e21b38d812b378f199deb4529ad3996c15b24c4ddad25cce04ae077d3caa8f37799fb95b8ef771f7eb0c6dc405e1d58894f71006db1db5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe.exe
        Filesize

        1.2MB

        MD5

        45252d9887c2fd2911d10ddfad8e89cf

        SHA1

        d3fdda55e532e14b8dd52fb9a9e133fe8ee45859

        SHA256

        8c80453f9e038b38a4c35ff5031c7ac6e6c1443455673ed89dde82375d19d11d

        SHA512

        5f42552cfe7192ce6a5ecf95a9acd6f3d9893e044e0b4d751a4b18a1ccab7aa9c4ad81076290ac560daca029a5b51887b20561088c40e9452d36673bb9e36e4b

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        2fc0271f4ad46eb9004c1bcc871507f9

        SHA1

        c19eec1855b06a258d6ad36b918acb9195d8726d

        SHA256

        2ef31759ef6142ad4fb90fb9ddba92d5dcc523de99302a4d6e8283344212de28

        SHA512

        d556c83033d22f99a8057188a1a9bf83ee71a17deef3bd594a2c383e7466a44999dc528d63542b9e4d5bd1f7e4713e4619def0fe66edadc50eb8e0b6cb9f0c96

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
        Filesize

        9B

        MD5

        f29b71f66ac42a28a8d1e12a13d61861

        SHA1

        bd61fbc8b6eed4cae3fa29d7b950784258be10cd

        SHA256

        9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

        SHA512

        90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

        Download Submit

      • memory/1252-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1252-12-0x0000000000230000-0x0000000000264000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1252-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1392-29-0x00000000026F0000-0x00000000026F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1724-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-260-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1724-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download