Overview

overview

7

Static

static

3

83bdfcb417...31.exe

windows7-x64

7

83bdfcb417...31.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/04/2024, 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83bdfcb417706c5c261af509b93188dd96ebdfcc41078bc4e6d0f55128720631.exe

  • Size

    1.7MB

  • MD5

    0f5ca4b031a05d416da01c470a9304d7

  • SHA1

    f0fe6350a86914dfcf708513dc09f7b3210d66d3

  • SHA256

    83bdfcb417706c5c261af509b93188dd96ebdfcc41078bc4e6d0f55128720631

  • SHA512

    af941f15ac7abe7cd73d6a37f9f8b8930026b4ffc2e378a1d4e9fc478eace777f7d39cb634371b4428140cf381c6fd1e7a3ce7177bcbceb664d8d044502e393b

  • SSDEEP

    24576:nOObVw4TaN1wd+ukCba4oXtgLhU3wEdmh58g:nOOh3aN4+uLbegmtGH

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1160
      • C:\Users\Admin\AppData\Local\Temp\83bdfcb417706c5c261af509b93188dd96ebdfcc41078bc4e6d0f55128720631.exe
        "C:\Users\Admin\AppData\Local\Temp\83bdfcb417706c5c261af509b93188dd96ebdfcc41078bc4e6d0f55128720631.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aED0.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Users\Admin\AppData\Local\Temp\83bdfcb417706c5c261af509b93188dd96ebdfcc41078bc4e6d0f55128720631.exe
            "C:\Users\Admin\AppData\Local\Temp\83bdfcb417706c5c261af509b93188dd96ebdfcc41078bc4e6d0f55128720631.exe"
            4⤵
            • Executes dropped EXE
            PID:2516
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        da3a4d0479cb34cd1dbd864b9fe7afa8

        SHA1

        c819c28d044275ad62ee2bbf9cad9cdcf13ae537

        SHA256

        402ca106b4801356a8a0c2ba9abcf8a323b3193c68c82066cbdf50ce6c71be4d

        SHA512

        a0dae98bf119c57fb548475f3a7d52e68f952876f0420bb2fabda483565c7fe8e24368eb7a458932b207f66fdafc3e0f65599ae9dcb9a7b4756cc7558682b18c

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        e96712cc2991fab37a21ceeeee83b1f6

        SHA1

        e7894f4029baf5faa81584bab7d20acb0feadf5f

        SHA256

        fc5ecf67ef00e72d234c1b58be4d807a7fa2603cf66085204bacabb796275153

        SHA512

        fd8ba411e0083b3120431f23f272daf3923c96c96a15f7f861565b4de85fce7bf5aafd42d15cf45c559b8e7192513a31b9167ec7c5b6f52823bf3dc20701a06e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aED0.bat
        Filesize

        721B

        MD5

        0794e888a5eca78b49a568030ad3c16d

        SHA1

        e5ad1179e79bd7f18ed9d59d3fdbc5ccb5827a6c

        SHA256

        3127464781ca5f9c337e07c37b3bfaff6cd71b56d7b74939a4809504322041ab

        SHA512

        aef531b84be946b0e414ddaecb8eace1944e0a05ac663d1e0b4648a3524737c55b0c2c1831ccc159f5a9ff0ac69142556f8ba77303cb8d3c25e779e7b4121d2a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\83bdfcb417706c5c261af509b93188dd96ebdfcc41078bc4e6d0f55128720631.exe.exe
        Filesize

        1.7MB

        MD5

        d36d79b8f55d32021c2ca5669ff5a552

        SHA1

        6cb6cbe0fe75f3b52c716ca2cef77fff8da2274e

        SHA256

        904b7660f3cb9fb85ebf8787fb2e1f81c2b5591b0a21eb5cb6dca18a54dc657e

        SHA512

        965a4e621b18dc22c7fd31e27e65b2c36a7f90832db8e3f4e0752da89b1489616c095bf72f72aa17dbb198c79b66b1e9c252dcc8f389aecd3da293e4e471a353

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        9bcc3e645527978b32c6d1984175f69d

        SHA1

        d9dce23336396ddbfb4e54c207d755e9b8104b92

        SHA256

        3b15b041a301264dac387cd799e223d8d55f3652573aa7048a7bf4c01b5308e1

        SHA512

        a88275729c3768ca2ee9a9373bc5c97f1e70c5488de73ce1c46d5589978180608d44d87fa9e142b5f977d543cdd4130fb4fad1a4088bd65c39d448af1dbb5c6b

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
        Filesize

        9B

        MD5

        c1decdd7d6df1d9437bb5f2bc5fe1486

        SHA1

        d71402dc8d37a148651cb5017219322267c7b922

        SHA256

        bd6d31806e5ebc86100e3c7ed2cf5348757149082d775fa986d41e8554ce8089

        SHA512

        ebbaed70f5d858508011ec3f251e16aa09c861b3d6dcc62ed28f293b37dfda2434b0e36f898bc62fca3107ee6356c77e5662a76085f191a63913013837cc0f07

        Download Submit

      • memory/1160-30-0x0000000002530000-0x0000000002531000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1296-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-16-0x0000000000350000-0x0000000000386000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1296-15-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-45-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-770-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-1850-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-2400-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-3310-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2544-21-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download