Overview

overview

7

Static

static

3

17f0c6d5fc...29.exe

windows7-x64

7

17f0c6d5fc...29.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/04/2024, 18:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    17f0c6d5fcd464da9ee6fb31d3d978dacd88d1ad2d4d13aa4ebb3e5a12847829.exe

  • Size

    66KB

  • MD5

    82b2ebc252f414be8d418df9809332f9

  • SHA1

    72e01a7ec9e561590caa7a51dd2f6c389f4226a0

  • SHA256

    17f0c6d5fcd464da9ee6fb31d3d978dacd88d1ad2d4d13aa4ebb3e5a12847829

  • SHA512

    4c000d47d5b8d35a973e5ee987bad657c7b4380c1cfb90df2f0dcae0bd030bfccc5608fed80fa7d62142c835142c753a9f7b51fe2c2dc876b7b0f6d70c5cac96

  • SSDEEP

    1536:phF3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:phFkuJVLBrBkfkT5xHzD

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\17f0c6d5fcd464da9ee6fb31d3d978dacd88d1ad2d4d13aa4ebb3e5a12847829.exe
        "C:\Users\Admin\AppData\Local\Temp\17f0c6d5fcd464da9ee6fb31d3d978dacd88d1ad2d4d13aa4ebb3e5a12847829.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1848
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2166.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Users\Admin\AppData\Local\Temp\17f0c6d5fcd464da9ee6fb31d3d978dacd88d1ad2d4d13aa4ebb3e5a12847829.exe
            "C:\Users\Admin\AppData\Local\Temp\17f0c6d5fcd464da9ee6fb31d3d978dacd88d1ad2d4d13aa4ebb3e5a12847829.exe"
            4⤵
            • Executes dropped EXE
            PID:2900
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2588

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
              Filesize

              474KB

              MD5

              6eabc463f8025a7e6e65f38cba22f126

              SHA1

              3e430ee5ec01c5509ed750b88d3473e7990dfe95

              SHA256

              cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

              SHA512

              c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a2166.bat
              Filesize

              722B

              MD5

              d0471e1ed6ee7f67f9b6717d06e11649

              SHA1

              adf26b1e6be8258c279c531041992027dc3a2210

              SHA256

              6710654f8f8f7f3eb86f3f4a52a5e230b09a626055038f44c1d7513663107075

              SHA512

              283a49313214b2c3f955967f173ab4fef3e4cc4fa92ac9a1e4bc6974a676a58715868da3b29affa296d2d9599837e196711805642beee54217e9275fab13fcb3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\17f0c6d5fcd464da9ee6fb31d3d978dacd88d1ad2d4d13aa4ebb3e5a12847829.exe.exe
              Filesize

              36KB

              MD5

              9f498971cbe636662f3d210747d619e1

              SHA1

              44b8e2732fa1e2f204fc70eaa1cb406616250085

              SHA256

              8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

              SHA512

              b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              29KB

              MD5

              2cf2adc6226e2d29e19e7efba93c16b4

              SHA1

              bd8d009bd5a040e97d783c240b8335aa6498d17b

              SHA256

              53e4e6f91c4c650f77c61289d049b058da32b4668042adca7e1f280a830bdf26

              SHA512

              55917921f4311ae6d386f1e857f849e6c754a051e61282f03e20d23b1bfe5d16fb87934c81882b5d2bb3e30a105a8aa5284d247ca23129a6aebcb6f2bf854cb4

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
              Filesize

              9B

              MD5

              7d02194d5f21d1288ee3e3f595122aba

              SHA1

              68e51fcc75148bf51da5ad67c7137b85946fc393

              SHA256

              a4da2cd5e1bd5b7cc915b0572d2805cb074c16122fa7e5a41fbc1203aafc3416

              SHA512

              b5aba933dbbe76d9c49da7e4bd9aa8449f164d1a6563feb65e795fd497f42a5c8cc317186adf817990a180e46499987a7403b68b0b089a38ccda0fc9f2dd6c1c

              Download Submit

            • memory/1192-29-0x00000000024A0000-0x00000000024A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1848-0-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1848-16-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-90-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-38-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-44-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-31-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-96-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-1022-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-1849-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-3246-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-3309-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2936-18-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download