Overview

overview

7

Static

static

3

e13fc027e6...50.exe

windows7-x64

7

e13fc027e6...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 00:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e13fc027e6b4e67b76bb77a70da55425908bbb589aee14ee63763f084a731750.exe

  • Size

    357KB

  • MD5

    9dcffc4e8bea3bfda2154c1b6d6e13ea

  • SHA1

    bd4f9e5aca1f4acca9bf8a0168a87f2c4c39035b

  • SHA256

    e13fc027e6b4e67b76bb77a70da55425908bbb589aee14ee63763f084a731750

  • SHA512

    c3105b90a421933a6e0249d24ab75ab14e6f8c31b94169cdfd47baa088b16e90b75e87e7ebb0b784f44cb2133e918bc89b65455cc55ff242a0f07a270249ce2b

  • SSDEEP

    6144:SVfjmNqck+UDJeMCZJPWZI2pxLRjA4ZD05WGNl6yZ:s7+q0oUJPWZ5pxC41G2e

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 12 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\e13fc027e6b4e67b76bb77a70da55425908bbb589aee14ee63763f084a731750.exe
        "C:\Users\Admin\AppData\Local\Temp\e13fc027e6b4e67b76bb77a70da55425908bbb589aee14ee63763f084a731750.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB66.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Users\Admin\AppData\Local\Temp\e13fc027e6b4e67b76bb77a70da55425908bbb589aee14ee63763f084a731750.exe
            "C:\Users\Admin\AppData\Local\Temp\e13fc027e6b4e67b76bb77a70da55425908bbb589aee14ee63763f084a731750.exe"
            4⤵
            • Executes dropped EXE
            • Modifies system executable filetype association
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2920
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2496
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2628

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              251KB

              MD5

              00a2d585a9ff022e46e78ed2cb47bc1c

              SHA1

              74cefbf5552ef15e079c2e77c420fc7012914fba

              SHA256

              54ad52f2f2f7c68bdd3597ed47643ea10d1c9b3584bcc4027e0d12905b2e7d49

              SHA512

              494f924eaedb9de485b84f3e9c805bbbde5d1921e6f7702cfdc05b3761bcd19395d9d4908e77efabd295983ac0ef9112de45c1b8aac909e8cf3d0c17144cc142

              Download Submit

            • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
              Filesize

              471KB

              MD5

              4cfdb20b04aa239d6f9e83084d5d0a77

              SHA1

              f22863e04cc1fd4435f785993ede165bd8245ac6

              SHA256

              30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

              SHA512

              35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$aB66.bat
              Filesize

              721B

              MD5

              a33b2bcdc48e82f525354d1b1b8d9a95

              SHA1

              d17f5185d4b5dadf2716ab28ba33c43b60ee5bc8

              SHA256

              9c35b409f57f7eba28ce831e8c63c18de14c3fcd2b2dda7a3e85f24f79915227

              SHA512

              8299ef11b261b02718a789941406b2933289681e05b6389d62bb0577992877b74a122bfb8c98ca16499cf5ccba0b5300ccd3f119947b664cba2ffc962b5637e5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\e13fc027e6b4e67b76bb77a70da55425908bbb589aee14ee63763f084a731750.exe.exe
              Filesize

              331KB

              MD5

              298d2699634589bd40fa7a44806263ea

              SHA1

              530dbb1293d5d19d45b87c56be687d536f6a63ce

              SHA256

              bdeeea007b0c4798baffe265e0a9e2ec8e5e7a3a302ba27142cb7e8b1d7fb7c2

              SHA512

              0ce0b0b9f35268110f7623c68eacc64488795a70e92462a1b10e2d97d7840754a82fd8f44d5ab995330b061c05b21e742c8bc64f7843c37d63cd88ba397a6c28

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              26KB

              MD5

              0dea5c8d1652084c78d53e181c8caa76

              SHA1

              b8ad1aa5589174953c4409aaa41cbbb807a3fe0c

              SHA256

              62c076dbb90c93897710ee6a9548f97d3fb9e1ab2e5b0df2964a7fb32fae19a0

              SHA512

              96267e3286cfb25e71f356f8ddabc364d45e781d8ab5f46ebf5d1e3a0e8397cd54fb4b09d10195305677151fa81cdcaecb635ba416e7467e89698bd2d7ba930e

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
              Filesize

              9B

              MD5

              e7957b9f3d9556c996418169821a7993

              SHA1

              b7028de0f91d2e50a8d5f6d23613331a2784a142

              SHA256

              71a21a13d7822776d52d9a6146651dc9155db9f0bfbd978acf43d12dea2a8539

              SHA512

              72bc8552047095449fa4c3c21300183acfc7b33e6ab69c11435542e2862cb9e896bbfdedaeb97ec6edac8ed68220507a302d1ed2217624c97f6e9a83c0d3a285

              Download Submit

            • memory/1188-32-0x0000000003D40000-0x0000000003D41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1248-743-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-99-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-34-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-3312-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-41-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-47-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-93-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-20-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-2875-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1248-1852-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1912-18-0x0000000000290000-0x00000000002C4000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1912-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1912-17-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1912-12-0x0000000000290000-0x00000000002C4000-memory.dmp

              Filesize

              208KB

              Download