Overview

overview

7

Static

static

3

3dbb03f079...fd.exe

windows7-x64

7

3dbb03f079...fd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe

  • Size

    2.8MB

  • MD5

    b2b308a12162eb799117f00ea8a49a61

  • SHA1

    eac813e2fc0dfb4f14eb73e8b9b6bd8b66952533

  • SHA256

    3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd

  • SHA512

    33b96b137544c77d5c42d3b52600feaab4d47b24d8ce7e493e67f2930c8edb26ec53e2df3e00bed0ddebba6605ddd4064b5d67a0a2456af8b2064c9f3f3849ed

  • SSDEEP

    49152:t6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:gd1XdhBiiMa7

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe
        "C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a143C.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          PID:2976
          • C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe
            "C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe"
            4⤵
            • Executes dropped EXE
            PID:2688
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        182a1efac234be152c673103584b3add

        SHA1

        1606a8d53426ba27ede4b18d13acbbef1697efeb

        SHA256

        451c03fad8659d2d4599148b14036f011eee1b09148a92c788d838aa372a8ced

        SHA512

        da708d9792c5a1cb66113400529c8c2dc548299fe90022bde3c7c03c3e0a7c5926b8079ea3a6065801ab01e2418cbffffac667ba72bdb650f21aba9b05a0b2b8

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        8916a72b93d5fd4c6e63c8b36279b230

        SHA1

        83e3b1bfd579fbf998b2db5428819a10b25d0ad5

        SHA256

        537975086833d580dd97beff9e712f64cc41d0bf20cac16c1a04be24ed3af27b

        SHA512

        2c61138cc8800649890179c080c228da22ab9fe27f3fc1a83c52f57b349a5d3c61fc9d4a64ab53e362376f63edf99d30f0994b6070f97d09ec4868efaf8293b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a143C.bat
        Filesize

        722B

        MD5

        af67a1e621f5d911e48fe765ddb8a4cc

        SHA1

        01b69981f269d0bab87b5a78ed400be831fb6203

        SHA256

        34f4ee45e997943930f403a7f98ae256961ee8b804678959e999b873a0d7868e

        SHA512

        ac7e7ee9c7b77e324044d47adfba0d4790857039e497aa5875839bd1198f3573777382220ec13ee34dbaf2ecf6a07c08b37227ff5707320580128aa1023864c6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe.exe
        Filesize

        2.8MB

        MD5

        095092f4e746810c5829038d48afd55a

        SHA1

        246eb3d41194dddc826049bbafeb6fc522ec044a

        SHA256

        2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

        SHA512

        7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        34b640fa0177319ac442b6f3bbdaac54

        SHA1

        174c06017aeaceaab18228ca8eead4f7e94e58a2

        SHA256

        e0520317e9229269c4ab52b7690e1c289c2d3f9284f651c3f9d7d6abd1e49207

        SHA512

        2cbe13eff0bb3b532c33efc8aa781951adfc256ad96a0e32ffdb37f4eded8d474a0b3a143d50a9a4ca1f3938eb8f0a09a1333278eb211b5cc2c0466173244d9a

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
        Filesize

        9B

        MD5

        3441ca64b7a268fd1abb0c149aa9e827

        SHA1

        977a6be7624a5ff4ea1de4f422b44b4974c17827

        SHA256

        fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99

        SHA512

        84d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848

        Download Submit

      • memory/1184-29-0x00000000024D0000-0x00000000024D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1908-17-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1908-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1908-16-0x0000000000220000-0x0000000000256000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-31-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-38-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-44-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-90-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-96-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-603-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-1849-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-2119-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2548-3309-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download