Overview

overview

7

Static

static

3

9ad0994e12...ca.exe

windows7-x64

7

9ad0994e12...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/04/2024, 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe

  • Size

    1.3MB

  • MD5

    cc7aaca312222c595d5f4a3a9b6f192d

  • SHA1

    cb0d26b9fd1ba13a77313298cff08fa737a1b094

  • SHA256

    9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca

  • SHA512

    07f4af9958ec0dc880829b758b8e168ddf4e4921c4fdb100137652d1f879b9a8a15c43417d4a301f738d7b08bb238b5d24166bbd40283d55e32af002060cd2fc

  • SSDEEP

    24576:efkcVkJdyWm5QlmxR++iN95RoayqVSF1M+VHQE7Zrbe:efkcVkJdyrAL5RojIw1M+Rj

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1176
      • C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe
        "C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a205C.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe
            "C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe"
            4⤵
            • Executes dropped EXE
            PID:2416
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3008
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2444

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        bae13e04f5e8c8d531786f2251bfbb8d

        SHA1

        16473dd7704fbed4d335ece111d8d75352f9c9f6

        SHA256

        f9b998d2548cc1b63b52d3bd4fe546a8ae5d5e8b0aeb65cd313807cca1112423

        SHA512

        4837ba7e379f8ebb2d0ded6e4fa7471a5936a453a79513bd4e6dfed05d56acf72cf30874ccb07f307af618ac39233e36a151aba76ccf3fce70655656f9c4587f

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        ff973db02a999ecbc9be9bb33499796d

        SHA1

        2fadc83cfc56463a638456cb4cf77be605793a9f

        SHA256

        bf3b2ca265dc1f3583cb5276da1f4c83404d5f547919d17d7bd4c328071507dd

        SHA512

        fb673f91884b3eb805809887432ac810c4d525db0bc5c1f7103b14e3d62284fb25e122c7e957981d864b699fb005e34d0c5583ac80436ecf673f22704d4e5ed0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a205C.bat
        Filesize

        722B

        MD5

        b8bfc4dbd694cb721c3c811cfc34d91f

        SHA1

        8126586581dfea980c1a17493fe93927576a35ec

        SHA256

        0246286a307d30b7f0d0b9bef77499240f2ab130cf2c754ebc89d85b7e232d72

        SHA512

        db3b4aab5da031db75cb13bc1b660dd106a903d88d1402622d10654fc47da273470ff87925027b1d6dbb9a9bd3dd18da66ff3a334c620c00c748ce67b902a451

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe.exe
        Filesize

        1.3MB

        MD5

        32a8874646fd9ff308cd7d550c9b8c3a

        SHA1

        bb94615961d98df10f17eb0e69edbd6c860def80

        SHA256

        018b89a03419e447793f0858244b7f8133ef16b13b224018166ffb0e3433eb95

        SHA512

        d47e9dfe3b233e4a8e24ffb4dd9f1b7c2649cf597ff7981b7fd488d62a20debac320093829624758294697ba509923ae79b8d79e54d3acf67d1e3a5a554bad6f

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        613ebc2c6b3cd0a071abf2ce8f025c87

        SHA1

        466db64217d98d6a149f2538bb7d6f569ce18cd7

        SHA256

        c7120fe704982e0bf67d30a32e48ccb5f84d4d9702c193599b397eda84cd849e

        SHA512

        3328a8ef51ae65a1ded3ad33b862c479919f30915d5f47f722622a390eb2486bb1a821c841381d1f39b09c6f06388114add299a4a280d1ed0ccdeefb5a31a530

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
        Filesize

        9B

        MD5

        73b8aef84e892e3f77d41747dce253db

        SHA1

        d642a92c96e4ed570d998a73e42fc24fafe8caf9

        SHA256

        a81f7465f537233bbd4b8fa9034e52a8ceffcdf97bf36244c4d404ebec14eb24

        SHA512

        9b0690efee220355932375db333b5487c369ca9fdcf8497bcb5283d78d21fb4fefb7c06bbe533fb1f18fd3b32256a013090af6dd957b9d09cc373d0d5b89cf6d

        Download Submit

      • memory/1176-31-0x0000000002F60000-0x0000000002F61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1968-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1968-16-0x00000000002C0000-0x00000000002F6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1968-17-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-40-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-46-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-92-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-98-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-633-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-1851-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-2325-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-3311-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3008-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download